Despite Google’s best efforts, malicious Android apps frequently bypass its security measures and make their way into the Play Store. Users then download those apps assuming they are safe, only to be another victim of malware campaigns. Security researchers Zscaler ThreatLabz recently discovered over 90 such Android apps with combined downloads of over 5.5 million on the Play Store.
More than 90 malicious Android apps discovered on the Play Store
In a blog post, the research firm highlighted a recent surge in the Anatsa banking trojan’s activity. Also known as Teabot, the trojan targets apps from over 650 financial institutions worldwide, attempting to steal people’s banking credentials to perform fraudulent transactions. It achieved over 150,000 infections within a few months between late 2023 and February 2024 via the Play Store using various decoy apps.
According to Zscaler ThreatLabz, the latest Anatsa malware campaign used apps named “PDF Reader & File Manager” and “QR Reader & File Manager” as its decoy apps. The two apps, which have since been removed from the Play Store, had amassed 70,000 installations when the firm discovered they distributing malware. Threat actors behind the campaign employed a multi-step mechanism to avoid detection.
Once the malicious app is installed on an Android device, it retrieves configuration and essential strings from the C2 server. The app then downloads the DEX file containing malicious dropper code and activates it on the device. This is followed by a configuration file with the Anatsa payload URL. Finally, the DEX file downloads the malware payload APK and installs it to complete the infection.
The malware also has a mechanism in place to avoid its execution on sandboxes or emulating environments. All of this makes it difficult for security systems to detect it. However, the Anatsa malware isn’t the only one that Zscaler ThreatLabz discovered on the Play Store. The research firm found over 90 apps distributing various other types of malware including Joker, Facestealer, Coper, and Adware.
Avoid downloading third-party alternatives for stock apps
The researchers didn’t disclose the names of the other malicious apps found on the Play Store. They said the apps impersonated various productivity tools, personalization tools, photography utilities, and health & fitness apps. The firm has probably already reported the apps to Google and may have got them removed from the Play Store.
However, this is certainly not the end of malware-laden apps on the official Android app store. Threat actors often think a step ahead of security experts. They always find a way to bypass Google’s security measures. You should be careful when downloading apps from lesser-known developers. Most Android devices come with a built-in file manager, PDF reader, camera app, and other productivity tools. Avoid downloading third-party alternatives.
