Over 90 malicious Android apps have been identified on Google Play, with over 5.5 million downloads, delivering malware and adware. Notably, the Anatsa banking trojan has seen a recent surge in activity.
Anatsa, also known as "Teabot," is a banking trojan targeting over 650 financial institution applications in Europe, the US, the UK, and Asia. It aims to steal e-banking credentials to conduct fraudulent transactions.
In February 2024, Threat Fabric reported that Anatsa had infected at least 150,000 devices since late last year through decoy apps in the productivity software category on Google Play.
Currently, Zscaler reports that Anatsa has reappeared on Google's official app store, now distributed via two decoy applications: 'PDF Reader & File Manager' and 'QR Reader & File Manager.'
At the time of Zscaler's analysis, these two apps had already garnered 70,000 installations, highlighting the significant risk of malicious dropper apps bypassing Google's review process.
Anatsa dropper apps evade detection using a multi-stage payload loading mechanism involving four steps:
Dropper app retrieves configuration and essential strings from the C2 server.
DEX file with malicious dropper code is downloaded and activated on the device.
Configuration file with Anatsa payload URL is downloaded.
DEX file fetches and installs the malware payload (APK), completing the infection.
The DEX file also performs anti-analysis checks to ensure the malware doesn't execute in sandboxes or emulated environments.
Once Anatsa is operational on the infected device, it uploads the bot configuration and app scan results, then downloads injections matching the victim's location and profile.
Zscaler also reports finding over 90 other malicious applications on Google Play in recent months, collectively installed 5.5 million times.
Most of these malicious apps masqueraded as tools, personalization apps, photography utilities, productivity, and health & fitness apps.
The dominant malware families include Joker, Facestealer, Anatsa, Coper, and various adware.
Though Anatsa and Coper only account for 3% of the total malicious downloads from Google Play, they pose a greater threat, capable of on-device fraud and stealing sensitive information.
When installing new apps on Google Play, it's crucial to review requested permissions and decline those associated with high-risk activities, such as Accessibility Service, SMS, and contact lists.
The researchers did not disclose the names of the 90+ apps or whether they had been reported to Google for removal.
However, at the time of writing, the two Anatsa dropper apps identified by Zscaler have been removed from Google Play.
