Security experts have discovered more than 90 Android apps on Google Play, the official download store for Android phones, infected with malware. Android users have installed these dangerous apps more than 5.5 million times on Android devices.
The banking Trojan “Anatsa”, aka “Teabot”, plays an important and inglorious role in this regard. Anatsa attacks more than 650 financial institution applications. These are banks from the UK, Europe, USA and Asia.
Find the best antivirus apps for Android to protect your device
The Trojan attempts to steal online banking access data and use it to carry out fraudulent banking transactions. Anatsa hides in various apps that claim to be productivity tools. In February 2024, Anatsa used this disguise to achieve at least 150,000 infections via Google Play.
Today, in May 2024, Anatsa has managed to get on Google Play again, as you can read in this document from Zscaler. Cybercriminals spread the banking Trojan through the harmless and useful applications “PDF Reader & File Manager” and “QR Reader & File Manager”.
By the time security firm Zscaler conducted its investigation, users had installed these two infected apps approximately 70,000 times on their devices. The report highlights that “Tools” is the most popular app category to target. They represent almost 40%, with “personalization” and “photography” representing 20% and 13% respectively.
How’s it going ?
Anatsa evades malware detection by Google by loading its malicious components in multiple stages. First, the dropper app retrieves the configuration and important strings from the hackers’ command and control servers. Then the app downloads the DEX file with the malicious dropper code and activates it on the Android device.
The application then downloads the configuration file with the Anatsa payload URL. Finally, the DEX file recovers and installs the actual malware as an APK file, thus completing the infection process. The DEX file also verifies that the malware is not executed in sandboxes or within emulations, where it would remain ineffective.
Once Anatsa runs on the newly infected Android, it uploads the bot configuration and app scan results to the servers, then downloads targeted “injections” that match the location and profile of the victim device.
As already mentioned, Anatsa is just one type of malware that is currently particularly active on Google Play. In total, security experts discovered more than 90 infected apps (the names of which were not released by security researchers) that Android users installed more than 5.5 million times.
These apps disguise themselves as tools, personalization apps, photography utilities, productivity apps, and health and fitness apps. Google has now removed the infected apps from Google Play.
How to protect yourself
As a general rule, you should only download Android apps from Google Play and avoid other download offers, even if hackers managed to fool Google’s security mechanisms in the case described here.
Read the permissions an app needs on your device before each download. Critically question whether these permissions make sense or whether they go too far.
Also be wary of phone calls you may receive when using apps, especially a banking app, during a payment or transaction.
You should also install an antivirus on your Android device.
This article was originally published on our sister publication PC-WELT and has been translated and adapted from German.
