In a recent investigation, Zscaler’s ThreatLabs team uncovered a troubling wave of malware infiltrating Google Play, revealing that 77 malicious Android applications had amassed over 19 million downloads. The primary culprit identified was the Anatsa (Tea Bot) banking trojan, which has been targeting Android devices with increasing sophistication.
Among the malicious apps, more than 66% were found to contain adware components, while the notorious Joker malware was detected in nearly 25% of the analyzed applications. Once Joker is installed, it can perform a range of intrusive actions, including reading and sending text messages, taking screenshots, making phone calls, and accessing sensitive user information such as contact lists. This malware can also subscribe users to premium services without their consent.
A smaller segment of the malicious apps was categorized as maskware, which cleverly disguises itself as benign applications to avoid detection. These apps may appear legitimate but engage in harmful activities in the background, such as stealing credentials and sensitive data, including banking information and location data. Cybercriminals often leverage maskware to distribute additional malware.
Notably, Zscaler researchers identified a variant of the Joker malware known as Harly. This variant masquerades as a legitimate application, embedding its malicious payload deeper within the code to evade scrutiny during the review process. Previous reports from Human Security indicated that Harly could hide within popular applications, such as games and photo editors.
Anatsa trojan keeps evolving
The Anatsa banking trojan continues to evolve, with Zscaler reporting an expansion in its targeting capabilities. The latest iteration now aims to extract data from 831 banking and cryptocurrency applications, up from 650. To evade Google’s code review, the malware operators utilize an app named ‘Document Reader – File Manager’ as a decoy, which only downloads the malicious Anatsa payload post-installation.
This latest campaign marks a shift from previous methods, moving away from remote DEX dynamic code loading to direct payload installation, unpacking it from JSON files, and subsequently deleting those files. In terms of evasion tactics, Anatsa employs malformed APK archives to disrupt static analysis and uses runtime DES-based string decryption along with emulation detection techniques. Additionally, package names and hashes are periodically altered to further complicate detection efforts.
Capability-wise, Anatsa exploits Accessibility permissions on Android devices to automatically grant itself extensive privileges. It fetches phishing pages from its server for over 831 targeted applications, now extending its reach to Germany and South Korea. A new keylogger module has also been introduced for generic data theft.
This recent Anatsa campaign follows a similar wave discovered by ThreatFabric in July, where the trojan infiltrated Google Play disguised as a PDF viewer, achieving over 50,000 downloads. Previous campaigns have included attacks using PDF and QR Code Reader apps, which collectively resulted in significant infections.
Malicious app wave on Google Play
Alongside the Anatsa apps, Zscaler’s findings revealed a predominance of adware families, with Joker, Harly, and various maskware also making an appearance. Zscaler researcher Himanshu Sharma noted a marked increase in adware applications on the Google Play Store, contrasting with a decline in other malware families such as Facestealer and Coper.
Tools and personalization apps accounted for over half of the lures used to disseminate these malicious applications, indicating that categories such as entertainment, photography, and design should be approached with caution. In total, the 77 malicious apps, including those containing Anatsa, were downloaded 19 million times from Google Play.
Following Zscaler’s reporting, Google has removed all identified malicious apps from the Play Store. Android users are advised to ensure that their Play Protect service is active to help identify and remove harmful applications. In the event of an Anatsa trojan infection, users should take additional steps with their banks to safeguard potentially compromised e-banking accounts or credentials.
To mitigate the risk of encountering malware on Google Play, users are encouraged to trust only reputable publishers, read user reviews, and grant permissions strictly related to the app’s core functionality.
