Seventy-seven malicious Android apps with greater than 19 million installs had been delivering a number of malware households to Google Play customers.
This malware infiltration was found by Zscaler’s ThreatLabs group whereas investigating a brand new an infection wave with Anatsa (Tea Bot) banking trojan concentrating on Android gadgets.
Whereas many of the malicious apps (over 66%) included adware elements, the most typical Android malware was Joker, which researchers encountered in nearly 25% of the analyzed apps.
As soon as Joker malware is put in on a tool, it could possibly learn and ship textual content messages, take screenshots, make cellphone calls, and steal contact lists, entry gadget data, and subscribe customers to premium companies.
A smaller share of the apps included maskware, a time period used to outline a malicious app that disguises itself as one thing that might not elevate any suspicion.
Such a malware could pose as a legit app that works as marketed. Nonetheless, it performs malicious exercise within the background, corresponding to steal credentials, banking information, or different delicate information (location, SMS). Cybercriminals also can use maskware to ship different malware.
Zscaler researchers additionally discovered a variant of the Joker malware known as Harly, which comes as a legit app that has a malicious payload hidden deeper within the code to keep away from detection in the course of the evaluation course of.
In a report in March, Human Safety researchers stated that Harly can cover in common apps, like video games, wallpapers, flashlights, and picture editors.
Anatsa trojan retains evolving
Based on Zscaler, the newest model of the Anatsa banking trojan has additional expanded its concentrating on scope, rising the variety of banking and cryptocurrency apps to 831, from 650 beforehand, that it makes an attempt to steal information from.
The malware operators use an app named ‘Doc Reader – File Supervisor’ as a decoy, which solely downloads the malicious Anatsa payload after set up, to evade Google’s code evaluation.
Supply: Zscaler
The most recent marketing campaign has switched from distant DEX dynamic code loading used prior to now to direct payload set up, unpacking it from JSON recordsdata, after which deleting them.
By way of evasion, it makes use of malformed APK archives to interrupt static evaluation, runtime DES-based string decryption, and emulation detection. Bundle names and hashes are additionally periodically modified.
Supply: Zscaler
Functionality-wise, Anatsa abuses Accessibility permissions on Android to auto-grant itself in depth privileges.
It fetches phishing pages from its server for over 831 apps, now additionally masking Germany and South Korea, whereas a keylogger module has additionally been added for generic information theft.
This newest Anatsa marketing campaign follows one other latest wave found by ThreatFabric in July, the place the trojan sneaked into Google Play posing as a PDF viewer, reaching over 50,000 downloads.
Older Anatsa campaigns embody a PDF and QR Code Reader assault in Could 2024 that achieved 70,000 infections, a Cellphone Cleaner and PDF assault in February 2024 that bought 150,000 downloads, and one other PDF Viewer assault in March 2023 that achieved 30,000 installs.
Malicious app wave on Google Play
Along with the malicious Anatsa apps, Zscaler found this time, most had been adware households, adopted by ‘Joker,’ ‘Harly,’ and varied maskware.
“ThreatLabz recognized a pointy rise in adware functions on the Google Play Retailer alongside malware, corresponding to Joker, Harly, and banking trojans like Anatsa,” defined Zscaler researcher Himanshu Sharma
“Conversely, there was a noticeable decline in malware households corresponding to Facestealer and Coper.”
Instruments and personalization apps accounted for over half of the lures used to unfold these apps, so these two classes, along with leisure, pictures, and design, must be handled as high-risk.
In whole, the 77 malicious apps, together with these containing Anatsa, had been downloaded 19 million instances from Google Play.
Zscaler stories that Google eliminated all the malicious apps they found this time from the Play Retailer following their reporting.
Android customers should guarantee their Play Shield service is lively on their gadget to flag malicious apps for removing.
Within the case of Anatsa trojan infections, separate steps must be taken with the financial institution to guard probably compromised e-banking accounts or credentials.
To reduce the chance from malware loaders on Google Play, solely belief respected publishers, learn no less than a few consumer opinions, and solely grant permissions which might be straight associated to the app’s core performance.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and information exfiltration tendencies.
