90+ Malicious Android Apps with 5.5 Million Installs Found on Google Play

More than 90 malicious Android apps have been found installed over 5.5 million times via Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a surge in activity recently.

Anatsa (aka “Teabot”) is a banking Trojan that targets over 650 financial institution applications in Europe, the United States, the United Kingdom and Asia. It attempts to steal people’s electronic banking credentials to make fraudulent transactions.

In February 2024, Threat Fabric reported that since the end of last year, Anatsa had carried out at least 150,000 infections through Google Play using various decoy apps in the productivity software category.

Today, Zscaler reports that Anatsa is back on the official Android app store and is now distributed via two decoy apps: “PDF Reader & File Manager” and “QR Reader & File Manager.”

At the time of Zscaler’s analysis, both apps had already accumulated 70,000 installs, demonstrating the high risk of malicious dropper apps slipping through the cracks of Google’s review process.

One thing that helps Anatsa dropper applications evade detection is the multi-stage payload loading mechanism which involves four distinct stages:

• Dropper app retrieves essential configuration and strings from C2 server
• DEX file containing malicious dropper code is downloaded and activated on the device
• The configuration file with the Anatsa payload URL is downloaded
• The DEX file fetches and installs the malware payload (APK), thus completing the infection

The DEX file also performs anti-scan checks to ensure that malware will not be run on sandboxes or emulation environments.

Once Anatsa is up and running on the newly infected device, it downloads the bot configuration and scan results from the app, then downloads injections that match the victim’s location and profile.

Other Google Play threats

Zscaler reports that over the past two months it has also discovered more than 90 malicious apps on Google Play, which have collectively been installed 5.5 million times.

Most of the malicious apps impersonated tools, personalization apps, photography utilities, productivity, and health and fitness apps.

The five malware families dominating the scene are Joker, Facestealer, Anatsa, Coper and various adware.

Although Anatsa and Coper account for only 3% of total malicious downloads on Google Play, they are far more dangerous than the others, capable of committing device fraud and stealing sensitive information.

When installing new apps on Google Play, check the requested permissions and deny those associated with high-risk activities such as Accessibility Service, SMS, and Contacts list.

The researchers did not disclose the names of the more than 90 apps or whether they had been reported to Google for removal.

However, as of this writing, both Anatsa dropper apps discovered by Zscaler have been removed from Google Play.