Despite Google's best efforts, malicious Android apps often bypass security measures and end up in the Play Store. Users then download these apps thinking they are safe, only to fall victim to malware campaigns again. Security researchers Zscaler ThreatLabz recently discovered more than 90 such Android apps with combined downloads of more than 5.5 million on the Play Store.
More than 90 malicious Android apps discovered in the Play Store
The research agency emphasizes this in a blog post a recent increase in activity from the Anatsa banking trojan. The Trojan, also known as Teabot, targets apps from more than 650 financial institutions worldwide in an attempt to steal people's banking information to conduct fraudulent transactions. It reached over 150,000 infections via the Play Store within a few months between late 2023 and February 2024 using various decoy apps.
According to Zscaler ThreatLabz, the latest Anatsa malware campaign used apps called “PDF Reader & File Manager” and “QR Reader & File Manager” as decoy apps. The two apps, which have since been removed from the Play Store, had amassed 70,000 installs when the company discovered they were spreading malware. Threat actors behind the campaign were deployed a multi-step mechanism to avoid detection.
Once the malicious app is installed on an Android device, it retrieves the configuration and essential strings from the C2 server. The app then downloads the DEX file containing the malicious dropper code and activates it on the device. This is followed by a configuration file containing the Anatsa payload URL. Finally, the DEX file downloads the APK for the malware payload and installs it to complete the infection.
The malware also has a mechanism to prevent its execution in sandboxes or emulation environments. All this makes it difficult for security systems to detect it. However, the Anatsa malware is not the only one that Zscaler ThreatLabz has discovered on the Play Store. The research agency found more than 90 apps spreading various other types of malware including Joker, Facestealer, Coper and Adware.
Avoid downloading third-party alternatives to stock apps
The researchers did not reveal the names of the other malicious apps in the Play Store. They said the apps mimicked various productivity tools, personalization tools, photography tools and health and fitness apps. The company has likely already reported the apps to Google and may have removed them from the Play Store.
However, this is certainly not the end of the malware-laden apps in the official Android App Store. Threat actors often think one step further than security experts. They always find a way to bypass Google's security measures. You should be careful when downloading apps from lesser-known developers. Most Android devices come with a built-in file manager, PDF reader, camera app, and other productivity tools. Avoid downloading third-party alternatives.
