Mobile threats rising: 200 malicious Play Store apps just the tip of the iceberg
More than 200 apps on the Google Play Store, downloaded nearly eight million times, turned out to be malicious, the Zscaler ThreatLabz research team has discovered. Yet, this is not the most likely way to get your phone infected.
Mobile phones have become a primary way for everyone to engage in online activities, with 96.5% of people accessing the internet with their mobile devices. Cybercriminals are targeting mobile users with increased sophistication.
According to the Zscaler report, based on 20 million blocked malicious transactions, banking malware attacks grew by 29% in a single year, while mobile spyware spiked by 111%.
“It’s clear that threat actors are increasingly motivated by the profitability of attacks,” Zscaler noted.
The worrying trend is that most financially motivated actors are highly capable of bypassing multifactor authentication (MFA). They frequently leverage phishing vectors, such as fake login pages for different financial institutions, social media sites, or crypto wallets.
QR codes are another vector used to distribute malicious code. This way, Anatsa, a notorious Android banking malware, has targeted banking applications from more than 650 financial institutions worldwide.
Researchers warn that attackers often distribute Android remote access trojans through fake Skype, Zoom, and Google Meet websites, where unaware users download malicious APK files, leading to a compromise.
Even official app stores can contain malware. Over 200 malicious apps were uploaded to the Google Play Store, collectively garnering nearly eight million downloads. Google told BleepingComputer that the identified apps have been removed.
“The malicious versions of these apps identified are no longer on Play. Android users are automatically protected against known versions of malware mentioned in this report by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson told Cybernews.
Among them, a malware family called Joker emerged as the most prevalent, accounting for 38% of identified apps. Joker is a Wireless Application Protocol (WAP) fraud, silently subscribing users to premium services without consent and leading to unexpected charges.
Adware contributed 35% of observed threats, while 14% of malicious apps were so-called Facestealers, specializing in the exfiltration of Facebook credentials.
“Threat actors are leveraging decoy applications, such as PDF readers and QR code readers that act as loaders, to deploy the Anatsa (a.k.a. TeaBot) Android malware through the Google
Play Store. Many malicious Android applications in the Play Store are disguised as tools such as file managers, editors, or translators,” ThreatLabz warns.
While masquerading as legitimate applications, second-stage payloads trick victims into believing that malware is genuine.
Trojans dominate the Android threat landscape with a share of 43% of all payloads, and most banking malware relies on trojans. Zscaler detected 3.6 million blocks associated with banking malware.
Researchers noted that overall, Android malware transactions have been in decline since June 2023. Blocks in May 2024 corresponded to only a third of the blocks in June 2023.
ThreatLabz recorded an average of 1.7 million Android malware blocks per month. The company analyzed more than 20 million threat-related mobile transactions throughout the year.
Most mobile malware targeted users in India (28%), the US (27%) and Canada (15%).
Updated on October 18th [06:30 a.m. GMT] with a statement from Google.
Comments
Your email address will not be published. Required fields are markedmarked