Over 90 malicious Android apps have been found on Google Play, supplying malware and adware to millions

A recent cybersecurity discovery identified over 90 malicious Android apps on Google Play, and these malicious apps have been downloaded over 5.5 million times. These applications have been found to deliver various types of malware and adware, with the famous Anatsa banking Trojan seeing a significant increase in activity.

Over 90 malicious Android apps have been found on Google Play, supplying malware and adware to millions

The rise of Anatsa

Anatsa, also known as “Teabot”, is a banking Trojan that attacks over 650 applications of financial institutions in Europe, the United States, the United Kingdom and Asia. The main goal of this Trojan is to steal online banking credentials, allowing cybercriminals to conduct fraudulent transactions. According to the Threat Fabric report, by the end of 2023, Anatsa had infected at least 150,000 devices via Google Play using various decoy apps.

Recent increase in Anatsa activity

In February 2024, security researchers at Zscaler reported that Anatsa had returned to the official Google app store. This time it was distributed through two decoy applications: “PDF Reader and File Manager” and “QR Reader and File Manager”. At the time of analysis, these apps had already been installed 70,000 times, highlighting the ongoing risk of malicious droppers bypassing Google’s review process.

Anatsa’s evasion tactics

Anatsa dropper apps use a sophisticated, multi-step payload loading mechanism, which makes it difficult to detect. This process consists of four key steps:

1. Configuration download: The dropper application downloads the configuration and necessary strings from the command and control server (C2).
2. DEX file activation: A DEX file containing malicious dropper code is downloaded and activated on the device.
3. Payload URL configuration: A configuration file with the Anatsa payload URL is downloaded.
4. Installation of malware: DEX file downloads and installs the malware payload (APK), ending the infection.

The DEX file also performs anti-analytics checks to ensure that malware is not running in sandbox or emulated environments. Once launched, Anatsa uploads the bot configuration and application scan results, and then downloads injections corresponding to the victim’s location and profile.

Other threats on Google Play

In addition to Anatsy, Zscaler’s research has uncovered over 90 other malicious apps on Google Play over the past few months. These apps, which had a total of 5.5 million downloads, often pretended to be tools, personalization apps, photography tools, productivity software, and health and fitness apps.

The five most frequently detected malware families were Joker, Facestealer, Anatsa, Coper and various types of adware. Even though Anatsa and Coper only account for 3% of all malware downloads, they pose a greater threat due to their ability to conduct device fraud and steal confidential information.

Precautions

To protect against these threats, users are advised to carefully check application permissions before installation. Permissions related to high-risk activities such as accessibility services, texting, and contact list access should be reviewed and denied if necessary.

Current status and recommendations

The names of over 90 malicious applications were not disclosed. However, it is unclear whether they have been reported to Google for removal. As of this writing, two Anatsa dropper apps identified by Zscaler have been removed from Google Play. We encourage users to remain vigilant and regularly update their devices to minimize exposure to such threats.

Overall, the detection of these malicious applications underscores the importance of constant vigilance and robust security measures. By staying informed and cautious, users can better protect their devices and personal information from cyber threats.

See also: Spyware alert: Dating apps targeting users, PTA warns