Tech

Over 90 malicious Android apps with 5.5M installs found on Google Play

3 Min Read

Over 90 malicious Android apps were discovered on Google Play, amassing more than 5.5 million installations and delivering malware and adware, including a recent surge in the Anatsa banking trojan.Anatsa (also known as “Teabot”) is a banking trojan targeting over 650 applications of financial institutions across Europe, the US, the UK, and Asia. Its primary aim is to steal e-banking credentials for fraudulent transactions.

Contents
Anatsa’s evasion tacticsOther Google Play threatsHigh-risk malware

In February 2024, Threat Fabric reported that since late last year, Anatsa had infected at least 150,000 devices via Google Play through various decoy apps in the productivity software category. Recently, Zscaler reported that Anatsa has resurfaced on Android’s official app store, now distributed via two decoy applications: ‘PDF Reader & File Manager’ and ‘QR Reader & File Manager’. At the time of Zscaler’s analysis, the two apps had already accumulated 70,000 installations, highlighting the high risk of malicious dropper apps bypassing Google’s review process.

Anatsa’s evasion tactics

One of the techniques that help Anatsa dropper apps evade detection is a multi-stage payload loading mechanism involving four distinct steps:

  1. Dropper app retrieves configuration and essential strings from the C2 server.
  2. DEX file containing malicious dropper code is downloaded and activated on the device.
  3. Configuration file with Anatsa payload URL is downloaded.
  4. DEX file fetches and installs the malware payload (APK), completing the infection.

The DEX file also performs anti-analysis checks to ensure the malware won’t execute on sandboxes or emulating environments. Once Anatsa is operational on the newly infected device, it uploads the bot configuration and app scan results and then downloads the injections that match the victim’s location and profile.

Other Google Play threats

In the past couple of months, Zscaler discovered over 90 malicious applications on Google Play, collectively installed 5.5 million times. Most of these apps masqueraded as tools, personalization apps, photography utilities, productivity, and health & fitness apps. The five dominant malware families in these malicious apps are Joker, Facestealer, Anatsa, Coper, and various adware.

High-risk malware

While Anatsa and Coper only account for 3% of the total malicious downloads from Google Play, they are significantly more dangerous than others, capable of performing on-device fraud and stealing sensitive information. When installing new apps from Google Play, it’s crucial to review the requested permissions and decline those associated with high-risk activities such as Accessibility Service, SMS, and contacts list.

The researchers did not disclose the names of the 90+ apps or whether they had been reported to Google for takedown. However, at the time of writing, the two Anatsa dropper apps discovered by Zscaler have been removed from Google Play.

You Might Also Like

Split Technology Park welcomes first tenants: 26 MPSs and 6 startups

INNVEST Summit 2024: A premier event for innovation and economic competitiveness in the Western Balkans

Shoppable widget by EmbedSocial: Revolutionizing E-commerce with authentic shopper content

Intel prevails in long-running legal battle against €1 billion EU fine

Diaspora 4 Innovation: Kick-off event launches a new era for Albanian higher education

Share This Article
Previous Article OpenAI begins training GPT-5: What to expect from the next-generation AI model
Next Article Google defends its AI search after it told people to put glue on pizza

Social networks

Latest news

Split Technology Park welcomes first tenants: 26 MPSs and 6 startups
Tech
INNVEST Summit 2024: A premier event for innovation and economic competitiveness in the Western Balkans
Tech
Shoppable widget by EmbedSocial: Revolutionizing E-commerce with authentic shopper content
Apps
Intel prevails in long-running legal battle against €1 billion EU fine
Apps
Lost your password?