A recent investigation by cybersecurity firm Zscaler has revealed a troubling trend in the Android app ecosystem, uncovering over 90 malicious applications that have been lurking on Google Play in recent months. Among these, the banking trojan known as Anatsa has emerged as a particularly insidious threat, contributing to a staggering total of 5.5 million downloads across all identified malware-infested apps.
Over 90 Android apps found with banking malware
By Thursday, Google took swift action, removing the identified apps from the Play Store, as reported by various tech news outlets. Anatsa, also referred to as “TeaBot,” alongside other malware highlighted in the report, operates as a dropper. It masquerades as benign applications such as PDF and QR code scanners, photography tools, and health and fitness apps. This incident serves as a stark reminder of the ease with which dangerous applications can circumvent Google’s security protocols, infiltrating users’ devices like digital pickpockets.
Although Anatsa accounts for only about two percent of the most prevalent malware types, its impact is significant. Targeting over 650 financial institutions, this banking trojan poses a serious risk to anyone engaging in mobile banking. Alarmingly, two of the infected apps—both disguised as PDF and QR code readers—had already amassed over 70,000 downloads by the time researchers raised the alarm.
Anatsa: A Trojan with serious consequences
Anatsa’s stealthy nature allows it to blend seamlessly into the background once installed, employing sophisticated techniques to remain hidden while pilfering banking information. The report specifically identified two apps carrying the malware: PDF Reader and File Manager by Tsarka Watchfaces and QR Reader and File Manager by risovanul. With such innocuous names, these apps would likely not raise suspicion among the average Android user.
The majority of the infected applications fell into categories that users typically download without a second thought, including file managers, text editors, and language translators. Other categories encompassed photography apps, productivity enhancers, and personalization tools, likely featuring wallpapers and home screen customizations.
More threats lurking on Google Play
Many of these perilous apps disguised themselves as everyday utilities—file managers, photo editors, personalization tools, and even fitness and productivity applications. While Anatsa and another malware variant, Coper, constituted only about 3% of total malware downloads, they are among the most dangerous offenders. These trojans are not merely an annoyance; they can perpetrate fraud directly on users’ devices and exfiltrate sensitive data, making them far more harmful than simple ad-spamming applications.
The current landscape of malware threats on Google Play includes notable names such as Joker, Facestealer, Anatsa, Coper, and various forms of adware. Each of these threats employs unique tactics, yet they share a common objective: to infiltrate devices and disrupt the lives of unsuspecting users.
Stay safe when downloading apps
To safeguard against such threats, users are encouraged to exercise caution when downloading new applications from Google Play. It is advisable to scrutinize the permissions requested by an app. If an application seeks access to sensitive information such as the Accessibility Service, SMS messages, or your contacts list, this should raise a red flag. Legitimate apps typically do not require such extensive access unless it is essential for their functionality—if something appears unnecessary, it is wise to decline.
While the security researchers have not publicly disclosed the complete list of the 90+ apps they discovered, they have confirmed that the two Anatsa-infected apps are no longer available on Google Play. A Google spokesperson has stated that the developers responsible for these malicious applications have been banned, affirming: “All of the identified malicious apps have been taken down from Google Play. Google Play Protect also helps safeguard users by automatically removing or disabling apps known to contain this malware on Android devices with Google Play Services.”
Although the removal of these apps is a positive development, it underscores the importance of vigilance when downloading new applications. Once malware infiltrates a device, it can be challenging to detect and remove.
