Remove these newly discovered malicious apps from your Android device

This week, research group Zscaler reported that it had discovered over 90 malicious Android apps available on the Play Store. The apps were installed more than 5.5 million times in total, many of which were part of the ongoing Anatsa malware campaign that targeted more than 650 apps associated with financial institutions.

As of February 2024, Anatsa had infected at least 150,000 devices through several decoy apps, many of which are marketed as productivity software. While we don’t know the identities of most of the apps involved in this latest attack, we do know about two: PDF Reader and File Manager and QR Reader and File Manager. At the time of Zscaler’s investigation, the two apps had accumulated a combined total of over 70,000 installs.

How these malicious apps infect your phone

Despite Google’s review process for apps used in the Play Store, malware campaigns like Anatsa are sneaky and can use a multi-step payload mechanism to help them evade these checks. In other words, the application pretends to be legitimate and starts stealthily infecting users only after it is installed on the user’s device.

You may think you are downloading a PDF reader, but once installed and opened, the “dropper” application will connect to the C2 server and download the necessary configurations and necessary strings. It will then download the DEX file containing the malicious code and activate it on your device. From there, the Anatsa payload URL is retrieved via a configuration file, and this DEX file installs the malware payload, terminating the process and infecting your phone.

Fortunately, all identified apps have been removed from the Play Store and their creators have been blocked. However, this will not remove these apps from your smartphone if you have downloaded them. If you have either of these two apps on your phone, uninstall them immediately. You should also change passwords for any banking apps you may have used on your phone to avoid threat actors behind Anatsa having access to your accounts.

How to avoid malicious applications

While attacks by malicious developers can be difficult, there are a few tips you can use to check if an app on the Play Store is legitimate. The first is to pay close attention to the application list: look at its name, description and images: does everything match the service advertised by the developers? Is the copy well written or is it full of errors? The less professional a website is, the more likely it is to be fake.

Only download apps from publishers you can trust. This is especially true if you download a popular app, as malware sometimes impersonates popular apps on phones and other devices. Double-check the app developer to make sure they are who they say they are.

You should also check the requirements and permissions the app asks for. Typically, anything that asks for accessibility should be avoided, as this is one of the main ways malware groups bypass the security parameters placed on many newer devices. Other permissions worth paying attention to are apps that ask for access to your contact list and text messages. If a PDF reader wants your contacts, that’s a big red flag.

Also read app reviews. Be wary of apps that don’t have many ratings or those whose reviews all seem suspiciously positive.

The app’s support email address can also be telling. Many malicious apps have a random Gmail account (or other free email account) associated with a support email address. While not every app will have a professional support email address listed, you can usually tell if something may be unclear based on the information provided by the group.

Unfortunately, there is no surefire way to avoid malicious apps unless you don’t install the app at all. However, if you’re mindful of the apps you install and pay attention to permissions, developer, and other important information, you can usually tell if an app is sketchy.