In a recent analysis conducted by Zscaler, it was revealed that Google Play, the primary app store for Android devices, has been a conduit for over 200 malicious applications within a span of one year, amassing nearly eight million downloads. This data, collected between June 2023 and April 2024, sheds light on the persistent threat posed by malware in the digital landscape.
Identifying the Threat Landscape
The researchers at Zscaler meticulously identified various malware families present not only on Google Play but also across other distribution platforms. The findings highlighted several prevalent threats:
- Joker (38.2%): A notorious info-stealer and SMS message grabber that entices victims into subscribing to premium services.
- Adware (35.9%): Applications that drain internet bandwidth and battery life to display intrusive ads, generating fraudulent ad impressions.
- Facestealer (14.7%): A phishing tool that overlays deceptive forms on legitimate social media apps to steal Facebook credentials.
- Coper (3.7%): An info-stealer and SMS interceptor capable of keylogging and creating phishing overlays.
- Loanly Installer (2.3%)
- Harly (1.4%): Trojan applications that lure users into premium subscriptions.
- Anatsa (0.9%): A banking trojan targeting over 650 banking applications globally.
Earlier this year, in May, Zscaler had already flagged more than 90 malicious apps on Google Play, which collectively garnered 5.5 million downloads. Despite Google’s robust security mechanisms designed to detect harmful applications, cybercriminals have developed sophisticated methods to circumvent these safeguards. A previous report from the Google Cloud security team detailed a technique known as ‘versioning,’ where malware is delivered through app updates or from servers controlled by the attackers.
Successful Campaigns and Their Impact
The effectiveness of malware distribution campaigns varies significantly. For instance, the Necro malware loader was downloaded an astonishing 11 million times through just two applications available on the official store. Similarly, the Goldoson malware infiltrated 60 legitimate apps, resulting in a staggering 100 million downloads. Last year, the SpyLoan malware was detected in apps that had been downloaded over 12 million times.
Nearly half of the malicious applications identified by Zscaler were categorized under tools, personalization, photography, productivity, and lifestyle, indicating a broad spectrum of targets for cybercriminals.
Source: Zscaler
In terms of malware blocks, Zscaler noted a downward trend this year, with an average of 1.7 million blocks per month, totaling 20 million blocked transactions throughout the analysis period. The most frequently encountered threats included Vultur, Hydra, Ermac, Anatsa, Coper, and Nexus.
Source: Zscaler
Emerging Trends in Mobile Malware
Zscaler’s mobile threats report also highlighted a notable surge in spyware infections, particularly driven by the SpyLoan, SpinOK, and SpyNote families, with 232,000 blocks of spyware activity recorded in the past year. The countries most targeted by mobile malware included India and the United States, followed by Canada, South Africa, and the Netherlands.
Source: Zscaler
The report further indicated that the education sector experienced a staggering 136.8% increase in blocked transactions due to mobile malware. The services sector followed with a 40.9% rise, while the chemicals and mining sector saw a 24% increase. Conversely, other sectors experienced a general decline in malware activity.
Source: Zscaler
To mitigate the risk of malware infections from Google Play, users are encouraged to read reviews to identify potential issues and verify the application publisher. Additionally, it is prudent to scrutinize the permissions requested during installation and to abort the process if the app requests permissions that seem excessive for its intended functionality.
