Over 90 Malicious Android Apps Found on Google Play, Delivering Malware and Adware to Millions

In a recent cybersecurity revelation, over 90 malicious Android apps have been identified on Google Play, with these harmful applications being downloaded more than 5.5 million times. These apps were found to deliver various types of malware and adware, with the notorious Anatsa banking trojan experiencing a significant resurgence in activity.

Over 90 Malicious Android Apps Found on Google Play, Delivering Malware and Adware to Millions

The Rise of Anatsa

Anatsa, also known as “Teabot,” is a banking trojan that targets over 650 financial institution applications across Europe, the US, the UK, and Asia. This trojan’s primary objective is to steal e-banking credentials, enabling cybercriminals to carry out fraudulent transactions. According to a report by Threat Fabric, Anatsa had infected at least 150,000 devices via Google Play by late 2023, using various decoy productivity apps.

Recent Surge in Anatsa Activity

In February 2024, security researchers at Zscaler reported that Anatsa had returned to Google’s official app store. This time, it was distributed through two decoy applications: ‘PDF Reader & File Manager’ and ‘QR Reader & File Manager.’ At the time of analysis, these apps had already been installed 70,000 times, highlighting the ongoing risk of malicious dropper apps bypassing Google’s review process.

Anatsa’s Evasion Tactics

Anatsa dropper apps employ a sophisticated, multi-stage payload loading mechanism, making detection difficult. This process involves four key steps:

1. Configuration Retrieval: The dropper app retrieves configuration and essential strings from a command-and-control (C2) server.
2. DEX File Activation: A DEX file containing the malicious dropper code is downloaded and activated on the device.
3. Payload URL Configuration: A configuration file with the Anatsa payload URL is downloaded.
4. Malware Installation: The DEX file fetches and installs the malware payload (APK), completing the infection.

The DEX file also performs anti-analysis checks to ensure the malware does not execute in sandbox or emulated environments. Once operational, Anatsa uploads the bot configuration and app scan results, then downloads injections that match the victim’s location and profile.

Other Threats on Google Play

Besides Anatsa, Zscaler’s research uncovered over 90 other malicious applications on Google Play within the past few months. These apps, which collectively garnered 5.5 million downloads, often masqueraded as tools, personalization apps, photography utilities, productivity software, and health & fitness applications.

The five predominant malware families found were Joker, Facestealer, Anatsa, Coper, and various adware types. Despite Anatsa and Coper only accounting for 3% of the total malicious downloads, they pose a greater threat due to their ability to perform on-device fraud and steal sensitive information.

Precautionary Measures

To protect against these threats, users are advised to scrutinize app permissions carefully before installation. Permissions associated with high-risk activities, such as Accessibility Service, SMS, and contact list access, should be reviewed and declined if unnecessary.

Current Status and Recommendations

The names of the over 90 malicious apps were not disclosed. However, it remains unclear if they have been reported to Google for removal. Two Anatsa dropper apps identified by Zscaler have been taken down from Google Play at the time of writing. Users are encouraged to remain vigilant and regularly update their devices to minimize exposure to such threats.

In conclusion, the discovery of these malicious apps underscores the importance of ongoing vigilance and robust security measures. By staying informed and cautious, users can better protect their devices and personal information from cyber threats.

See Also: Spyware Alert: Dating Apps Targeting Users, PTA Warns