90+ Malicious Apps Totaling 5.5M Downloads Lurk on Google Play

More than 90 malicious mobile apps have been downloaded more than 5.5 million times from the Google Play store in the last few months. They spread various malware, including the Anatsa banking Trojan, researchers have found.

The apps, discovered by researchers at Zscaler over the past few months, act as decoys for the malware, and include a variety of PDF and QR code readers as well as file managers, editors, and translators, Zscaler revealed in a blog post published yesterday.

Anatsa (aka Teabot) is a sophisticated Trojan that first uses second-stage dropper applications that appear benign to users to deceive them into installing the payload. Once installed, it uses a range of evasive tactics to exfiltrate sensitive banking credentials and financial information from global financial applications.

"It achieves this through the use of overlay and accessibility techniques, allowing it to intercept and collect data discreetly," Zscaler's Himanshu Sharma and Gajanana Khond wrote in the post.

While Anatsa is one of the most "impactful" malwares currently being distributed on Google Play, others include the Joker fleeceware, the credential-stealing Facestealer, and various types of adware, according to Zscaler. They also have seen the Coper Trojan in the mix.

Further, Zscaler's analysis shows that the apps most commonly used to hide malware on the mobile app store are tools such as the ones behind which Anatsa lurks, followed y personalization and photography apps.

Evading Google Play Malware Detection

Attackers behind Anatsa — which can exfiltrate data from more than 650 financial apps — previously targeted mainly Android users in Europe; however, Zscaler reports the malware is "actively targeting" banking apps in the US and UK as well. Operators also appear to have expanded targets to financial institutions in more European countries — including Germany, Spain, and Finland — as well as South Korea and Singapore, the researchers noted.

Though Google has made a significant effort to block malicious apps from getting onto its mobile app store, Anatsa uses an attack vector that can slip past these protections, according to Zscaler. It does this through a dropper technique that makes it look as if the initial app is clean upon installation.

"However, once installed, the application proceeds to download malicious code or a staged payload from a command-and-control (C2) server, disguised as an innocuous application update," the researchers wrote. "This strategic approach enables the malware to be uploaded to the official Google Play Store and evade detection."

Anatsa in Attack Mode

Though the researchers identified a number of malicious apps, they specifically observed two malicious Anatsa payloads distributed via apps that impersonated PDF and QR-code reader applications. These types of apps often lure a large number of installations, which in turn "further aids in deceiving victims into believing that these applications are genuine," they noted.

Anatsa infects a device by using remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activity. Once installed, it launches a dropper application to download the next-stage payload.

 The Trojan uses other deceptive tactics in its attack vector that make it difficult for users or threat hunters to detect, the researchers noted. Before executing, it checks device environment and device type, most likely to detect sandboxes and analysis environments; it then only loads its third stage and final payload if the coast is clear.

Once loaded, Anatsa requests various permissions, including the SMS and accessibility options, and establishes communication with the C2 server to carry out various activities, such as registering the infected device and retrieving a list of targeted applications for code injections.

To steal user financial data, Anatsa downloads a target list of financial apps from the C2 and checks the device to see if they are installed. It communicates the info back to the C2, which then provides fake login pages for the installed apps to deceive users into providing their credentials, which are then sent back to the attacker-controlled server.

Remaining Vigilant Against Mobile Cyber Threats

Despite Google's best efforts, it's been impossible so far for the company to keep malicious Android apps off the Google Play store. As cybercriminals continue to evolve and craft malware with increasingly evasive tactics, "it becomes crucial for organizations to implement proactive security measures to safeguard their systems and sensitive financial information," the Zscaler researchers noted.

To help corporate mobile users avoid compromise, organizations should adopt a so-called "zero trust" architecture that focuses on user-centric security and ensures that all users "are authenticated and authorized before accessing any resources, regardless of their device or location," they advised.

Android users also can protect corporate networks by not downloading mobile applications when connected to an enterprise network, or using appropriate discernment and being alert to suspicious app activity even when downloading apps from trusted app stores.