Zscaler’s ThreatLabz team has unveiled a concerning trend in mobile security, identifying 77 malicious applications available on the Google Play Store that have collectively amassed over 19 million installations. These apps are not merely harmless utilities; they are vehicles for various malware strains that target financial institutions and compromise user data.
The investigation highlights a new wave of the Anatsa banking trojan, also known as TeaBot, which has evolved since its initial discovery in 2020. This latest variant has significantly broadened its scope, now aiming at over 831 banks globally, an increase from a previous tally of 650. The malware’s reach has extended into new territories, including Germany and South Korea, while also infiltrating popular cryptocurrency platforms.
Many of these deceptive applications masquerade as benign document readers, with some achieving over 50,000 downloads individually, underscoring the extensive impact of this cyber campaign.
The operators behind this malware have cleverly employed an app titled ‘Document Reader – File Manager’ as a decoy. This application initially appears legitimate, but upon installation, it discreetly downloads the Anatsa payload to circumvent Google’s code review processes.
Further analysis reveals that these apps, while initially clean, later download the Anatsa malware disguised as a necessary update. By manipulating Android’s Accessibility Services, the malware automates its malicious activities, allowing it to steal sensitive financial information, monitor keystrokes, and facilitate fraudulent transactions through counterfeit login pages that mimic legitimate banking applications. When users attempt to log in, their credentials are sent directly to the attackers.
This malware is adept at evading security scrutiny by obfuscating its code and checking for testing environments. Techniques such as Data Encryption Standard (DES) runtime decryption and emulation checks are employed to bypass security measures. Additionally, a corrupted ZIP archive is used to conceal a critical malicious file, complicating detection by standard analysis tools.
Zscaler’s findings indicate that while a majority of the malicious apps contained adware, the most prevalent Android malware identified was Joker, appearing in nearly 25% of the analyzed applications. Joker is notorious for its ability to pilfer contacts and device data, capture screenshots, make unauthorized calls, and send text messages to subscribe users to premium services without their consent.
A smaller subset of apps was found to contain “maskware,” which operates under the guise of legitimate applications while engaging in harmful activities such as credential theft and the collection of personal data, including location and SMS messages. Among these, a variant of Joker known as Harly was discovered, which cleverly hides its malicious payload deep within the code of otherwise legitimate-looking applications.
The proliferation of such threats raises significant concerns regarding personal privacy, financial integrity, and the security of private enterprises.
“Android users should always verify the permissions that applications request, ensuring they align with the intended functionality of the application,” the research advises.
An Expert’s View: Reactive Defences and New Threats
Mayank Kumar, Founding AI Engineer at DeepTempo, emphasizes the implications of Zscaler Threat Labs’ findings, noting that the security measures of official app stores like Google Play are predominantly reactive. By the time malicious apps are removed, millions of users, in this instance 19 million, may already be at risk.
Kumar elaborates on the evolving tactics of attackers, who now embed their code deep within an app’s core to appear innocuous during the review process. He cites the Harly variant as a prime example of this strategy, highlighting its use of obfuscation layers to evade detection.
“With the advent of AI, it will become even easier for threat actors to design multi-stage payloads and sophisticated obfuscation techniques that can outsmart the scanning and signature-based detection systems that underpin app store defenses,” he warns.
