90+ Malicious Apps Totaling 5.5M Downloads Lurk on Google Play

The dangerous Anatsa banking Trojan is among the malware being spread to Android users via decoy mobile apps in recent months.

More than 90 malicious mobile apps have been downloaded more than 5.5 million times from the
Google Play
store in the last few months. They spread various malware, including the
Anatsa banking Trojan
, researchers have found.
The apps, discovered by researchers at Zscaler over the past few months, act as decoys for the malware, and include a variety of PDF and QR code readers as well as file managers, editors, and translators, Zscaler revealed
in a blog post
published yesterday.
Anatsa (aka Teabot) is a sophisticated Trojan that first uses second-stage dropper applications that appear benign to users to deceive them into installing the payload. Once installed, it uses a range of evasive tactics to exfiltrate sensitive banking credentials and financial information from global financial applications.
It achieves this through the use of overlay and accessibility techniques, allowing it to intercept and collect data discreetly, Zscalers Himanshu Sharma and Gajanana Khond wrote in the post.
While Anatsa is one of the most impactful malwares currently being distributed
on Google Play,
others include the
Joker
fleeceware, the credential-stealing Facestealer, and various types of adware, according to Zscaler. They also have seen
the Coper Trojan
in the mix.
Further, Zscalers analysis shows that the apps most commonly used to hide malware on the mobile app store are tools such as the ones behind which Anatsa lurks, followed y personalization and photography apps.
Attackers behind Anatsa — which can exfiltrate data from more than 650 financial apps — previously targeted mainly Android
users in Europe
; however, Zscaler reports the malware is actively targeting banking apps in the US and UK as well. Operators also appear to have expanded targets to financial institutions in more European countries — including Germany, Spain, and Finland — as well as South Korea and Singapore, the researchers noted.
Though Google has made a significant effort to block malicious apps from getting onto its mobile app store, Anatsa uses an attack vector that can slip past these protections, according to Zscaler. It does this through a dropper technique that makes it look as if the initial app is clean upon installation.
However, once installed, the application proceeds to download malicious code or a staged payload from a command-and-control (C2) server, disguised as an innocuous application update, the researchers wrote. This strategic approach enables the malware to be uploaded to the official Google Play Store and evade detection.
Though the researchers identified a number of malicious apps, they specifically observed two malicious Anatsa payloads distributed via apps that impersonated PDF and QR-code reader applications. These types of apps often lure a large number of installations, which in turn further aids in deceiving victims into believing that these applications are genuine, they noted.
Anatsa infects a device by using remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activity. Once installed, it launches a dropper application to download the next-stage payload.
The Trojan uses other deceptive tactics in its attack vector that make it difficult for users or threat hunters to detect, the researchers noted. Before executing, it checks device environment and device type, most likely to detect sandboxes and analysis environments; it then only loads its third stage and final payload if the coast is clear.
Once loaded, Anatsa requests various permissions, including the SMS and accessibility options, and establishes communication with the C2 server to carry out various activities, such as registering the infected device and retrieving a list of targeted applications for code injections.
To steal user financial data, Anatsa downloads a target

list of financial apps from the C2 and checks the device to see if they are installed. It communicates the info back to the C2, which then provides fake login pages for the installed apps to deceive users into providing their credentials, which are then sent back to the attacker-controlled server.
Despite Googles best efforts, its been impossible so far for the company to keep
malicious Android apps
off the Google Play store. As cybercriminals continue to evolve and craft malware with increasingly evasive tactics, it becomes crucial for organizations to implement proactive security measures to safeguard their systems and sensitive financial information, the Zscaler researchers noted.
To help corporate mobile users avoid compromise, organizations should adopt a so-called zero trust architecture that focuses on user-centric security and ensures that all users are authenticated and authorized before accessing any resources, regardless of their device or location, they advised.
Android users also can protect corporate networks by not downloading mobile applications when connected to an enterprise network, or using appropriate discernment and being alert to
suspicious app activity
even when downloading apps from trusted app stores.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
90+ Malicious Apps Totaling 5.5M Downloads Lurk on Google Play