Zscaler Archives

Tech Optimizer

March 31, 2025

Watch Out for This Info-Stealing Malware on Windows

A new malware strain called CoffeeLoader has been identified, posing a significant risk to gamers by masquerading as a legitimate ASUS utility, specifically the Armoury Crate software. Once it infiltrates a system, it deploys the Rhadamanthys infostealer, which can extract sensitive information such as credentials from web browsers, email clients, cryptocurrency wallets, and password managers. CoffeeLoader evades detection by most security tools by operating on the GPU instead of the CPU and using advanced techniques like call stack spoofing, sleep obfuscation, and exploiting Windows fibers. To protect against CoffeeLoader, users should exercise caution when downloading software, navigate directly to official websites, avoid suspicious links, and adhere to basic cybersecurity practices. If infection is suspected, users should disconnect from the internet, reboot in safe mode, delete temporary files, and check Task Manager for unusual activity. Employing a reliable malware scanner can help identify and eliminate infections.

Tech Optimizer

March 27, 2025

This dangerous new Windows malware hides from your antivirus while impersonating a popular PC brand

A new strain of malware called CoffeeLoader targets Windows users by pretending to be an ASUS utility, specifically imitating ASUS's Armoury Crate. It has sophisticated evasion techniques that allow it to bypass antivirus software. Once installed, it deploys infostealers like Rhadamanthys Infostealer to extract sensitive information. CoffeeLoader operates undetected by executing code on the GPU instead of the CPU, using Call Stack Spoofing to disguise its activities, and employing Sleep Obfuscation to encrypt itself in memory when inactive. It also exploits Windows Fibers to evade detection. To protect against CoffeeLoader, users should download Armoury Crate only from the official ASUS website and be cautious of deceptive links and ads that may lead to malware installation.

AppWizard

March 6, 2025

Android App With 220,000+ Downloads From Google Play Installs Banking Trojan

A sophisticated Android banking trojan campaign, known as Anatsa or TeaBot, has been downloaded over 220,000 times from the Google Play Store before its removal. The malware targets global financial institutions using a multi-stage infection process, deploying fake login overlays and exploiting accessibility services to steal user credentials and perform unauthorized transactions. The malicious app disguised itself as a "File Manager and Document Reader" and acted as a dropper, retrieving additional payloads from remote servers. It uses reflection-based code execution to evade detection and conducts anti-emulation checks to confirm it is on a genuine device. Anatsa requests critical permissions, including accessibility services and SMS access, to log keystrokes and bypass two-factor authentication. The campaign primarily targets users in Europe, especially Slovakia, Slovenia, and Czechia, but has the potential to expand to markets like the U.S., South Korea, and Singapore. It targets over 600 banking and cryptocurrency applications, enabling on-device fraud through automated transaction systems. Users are advised to avoid sideloading apps, audit app permissions, and monitor for updates from official stores. Google has removed the identified dropper, but similar threats persist. Indicators of compromise include specific network URLs and an MD5 hash for a sample.

AppWizard

February 2, 2025

More than 90 Google Play Android apps identified with malware that steals your banking information – many already affected (5.5 million downloads)

Over 90 malicious Android applications were found on Google Play, including the banking trojan Anatsa, which has contributed to 5.5 million downloads across these apps. Google removed the identified apps from the Play Store after the report, which highlighted that Anatsa targets over 650 financial institutions. Two infected apps, disguised as PDF and QR code readers, had over 70,000 downloads before being reported. Anatsa operates stealthily, stealing banking information while appearing as benign applications. Other malware threats on Google Play include Joker, Facestealer, and Coper. Users are advised to be cautious when downloading apps and to scrutinize requested permissions. The two Anatsa-infected apps are no longer available, and the developers have been banned. Google Play Protect helps safeguard users by removing known malicious apps.

AppWizard

November 13, 2024

Confirmed – Over 90 Android apps on Google Play steal your banking information – check this list before it’s too late

Over 90 malicious Android applications, including a Trojan named Anatsa, have infiltrated the Google Play Store, affecting more than 5.5 million devices. Anatsa, also known as "TeaBot," has disguised itself as benign applications such as PDF and QR code readers, photography tools, and health and fitness apps, managing to evade Google’s review filters. Google has removed these malicious applications, which had accumulated over 70,000 downloads before their removal. Anatsa targets over 650 financial institutions and employs techniques to remain hidden while siphoning off sensitive banking information. Two notable disguised applications are “PDF Reader and File Manager” by Tsarka Watchfaces and “QR Reader and File Manager” by risovanul.

AppWizard

October 17, 2024

Google Play distributed over 200 malicious apps with over 8 million downloads

The Google Play Store distributed over 200 malicious applications that collectively garnered more than 8 million downloads. These apps, categorized as tools, personalization, photography, productivity, and lifestyle, contained threats such as info-stealers, adware, loan installers, and banking trojans. The malicious apps were active from June 2023 to April 2024, with India and the United States being the most targeted regions. There has been a rise in spyware infections, particularly affecting the education sector. Attackers have employed a method called “versioning” to push malware through app updates, evading security measures.

AppWizard

October 16, 2024

New Google Play Store Warning—200 Dangerous Apps, 8 Million Installs

There has been a 101% increase in spyware incidents year on year, with researchers identifying 200 dangerous applications in the Google Play Store that collectively had nearly eight million installations. The analysis covered the period from June 2023 to May 2024 and revealed that the financial sector is a primary target, with attacks increasing by 29%. The United States is the top target for cybercriminals, while India leads in mobile malware applications. Google employs various security measures, including Play Protect, to detect and remove harmful apps from the Play Store.

AppWizard

October 16, 2024

Millions of Android users get urgent Google app warning – check your phone now

Security experts from Zscaler have reported that over 200 malware-laden applications are available on Google's Play Store, with more than eight million installations by users. The report highlights a 111 percent increase in spyware incidents and a 29 percent rise in banking malware. Anatsa, an Android banking trojan, has targeted over 650 financial institutions. Zscaler's Chief Security Officer noted that cybercriminals are increasingly exploiting legacy assets, leading to data breaches and ransomware attacks. Google is working to remove harmful apps, but users are advised to review feedback, verify developer reputations, and enable Google Play Protect for enhanced security.

AppWizard

October 15, 2024

Over 200 malicious apps on Google Play downloaded millions of times

Zscaler's analysis revealed that over 200 malicious applications on Google Play accumulated nearly eight million downloads between June 2023 and April 2024. The identified malware families included Joker (38.2%), Adware (35.9%), Facestealer (14.7%), Coper (3.7%), Loanly Installer (2.3%), Harly (1.4%), and Anatsa (0.9%). In May 2023, Zscaler flagged more than 90 malicious apps on Google Play with 5.5 million downloads. The Necro malware loader was downloaded 11 million times, and Goldoson malware infiltrated 60 legitimate apps with 100 million downloads. Zscaler blocked an average of 1.7 million malware transactions per month, totaling 20 million during the analysis period. Spyware infections surged, particularly from SpyLoan, SpinOK, and SpyNote, with 232,000 blocks recorded. The most targeted countries were India, the United States, Canada, South Africa, and the Netherlands. The education sector saw a 136.8% increase in blocked transactions due to mobile malware. Users are advised to read reviews, verify app publishers, and scrutinize permissions to mitigate malware risks.

AppWizard

October 15, 2024

Hundreds of malicious apps are lurking on the Android Play Store, and have already been downloaded by millions

The Android app store now hosts over 200 malicious applications, downloaded by 8 million users, primarily for financial gain through banking malware that steals sensitive credentials. The education, technology, and manufacturing sectors are the most affected, with the education sector experiencing a 136% increase in cyber incidents in the past year. Cybercriminals are targeting legacy exposed assets, leading to data breaches and ransomware attacks. The rise of mobile malware and AI-driven vishing attacks complicates the cybersecurity landscape, prompting the need for organizations to implement AI-powered zero trust solutions. Users are advised to check reviews, download counts, and ratings when exploring new applications to identify potential threats.