Over 90 malicious Android apps with 5.5M installs discovered on Google Play

Over 90 malicious Android apps have been discovered put in over 5.5 million instances by way of Google Play to ship malware and adware, with the Anatsa banking trojan seeing a latest surge in exercise.

Anatsa (aka “Teabot”) is a banking trojan that targets over 650 purposes of monetary establishments in Europe, the US, the UK, and Asia. It makes an attempt to steal folks’s e-banking credentials to carry out fraudulent transactions.

In February 2024, Menace Material reported that since late final yr, Anatsa had achieved not less than 150,000 infections through Google Play utilizing numerous decoy apps within the productiveness software program class.

At present, Zscaler stories that Anatsa has returned to Android’s official app retailer and is now distributed through two decoy purposes: ‘PDF Reader & File Supervisor’ and ‘QR Reader & File Supervisor.’

Anatsa dropper apps
Anatsa dropper apps
Supply: Zscaler

 

On the time of Zscaler’s evaluation, the 2 apps had already amassed 70,000 installations, demonstrating the excessive danger of malicious dropper apps slipping by way of the cracks in Google’s evaluate course of.

One factor that helps Anatsa dropper apps evade detection is the multi-stage payload loading mechanism that includes 4 distinct steps:

  • Dropper app retrieves configuration and important strings from the C2 server
  • DEX file containing malicious dropper code is downloaded and activated on the gadget
  • Configuration file with Anatsa payload URL is downloaded
  • DEX file fetches and installs the malware payload (APK), finishing the an infection
Malware-loading steps
Malware-loading steps
Supply: Zscaler

The DEX file additionally performs anti-analysis checks to make sure the malware will not be executed on sandboxes or emulating environments.

As soon as Anatsa is up and working on the newly contaminated gadget, it uploads the bot configuration and app scan outcomes after which downloads the injections that match the sufferer’s location and profile.

Data exchange between the malware and the C2
Knowledge change between the malware and the C2
Supply: Zscaler

Different Google Play threats

Zscaler stories that through the previous couple of months, it has additionally found over 90 malicious purposes on Google Play, which have been collectively put in 5.5 million instances.

Many of the malicious apps impersonated instruments, personalization apps, images utilities, productiveness, and well being & health apps.

The 5 malware households dominating the scene are Joker, Facestealer, Anatsa, Coper, and numerous adware.

Google Play malware and dropper app types
Google Play malware (left) and dropper app sorts (proper)
Supply: Zscaler

Although Anatsa and Coper solely account for 3% of the overall malicious downloads from Google Play, they’re way more harmful than the others, able to performing on-device fraud and stealing delicate info.

When putting in new apps on Google Play, evaluate the requested permissions and decline these related to high-risk actions akin to Accessibility Service, SMS, and contacts record.

The researchers didn’t disclose the names of the 90+ apps and whether or not they had been reported to Google for takedown.

Nevertheless, on the time of penning this, the 2 Anatsa dropper apps found by Zscaler have been faraway from Google Play.

Recent articles

INTERPOL Pushes for

Dec 18, 2024Ravie LakshmananCyber Fraud / Social engineering INTERPOL is...

Patch Alert: Essential Apache Struts Flaw Discovered, Exploitation Makes an attempt Detected

Dec 18, 2024Ravie LakshmananCyber Assault / Vulnerability Risk actors are...