Millions download apps with banking malware from Google Play


Over 90 malicious Android applications have been found on the Google Play store, garnering several millions of installs combined, researchers discovered.

Multiple infected apps have been uploaded to the Google Play store, the main marketplace for obtaining Android apps, Zscaler ThreatLabz researchers claim.

The malicious apps contain Anatsa malware, which discreetly exfiltrates banking credentials and financial data from various legitimate financial apps. According to the researchers, the infected apps were installed 5.5 million times over several months.

“Threat actors are leveraging decoy applications such as PDF readers and QR code readers that act as loaders to deploy the Anatsa Android malware through the Google Play store,” the researchers said.

The apps are often disguised as file managers, editors, and translators to coax users into believing they are downloading legitimate services from Google Play.

The attack is performed over several stages to avoid Google’s security measures. The app that users download rarely includes malware, which is delivered via the secondary stage. The Malicious apps mask Anatsa as a legitimate application download.

“The threat actors using Anatsa employ various techniques to evade detection including checking for virtual environments and emulators as well as purposely corrupting the APK’s ZIP headers to hinder static analysis of the malware,” reads the report.

Attackers choose to disguise malicious apps as PDF or QR code readers to attract the largest number of potential victims. This tactic creates a vicious circle – the more installations the app gets, the more legitimate it looks to users.

Anatsa, also known as TeaBot, has been plaguing Android app marketplaces for some time. Back in 2022, researchers noted hundreds of financial apps in the US, China, and Russia were compromised by the malware.