Zscaler reports 77 Android apps on Google Play with 19 million installs spread malware, hitting 831 banks and exposing users to fraud and theft.
A new investigation by Zscaler’s ThreatLabz team has revealed that 77 malicious apps with over 19 million installs were delivering different malware families through the official Google Play Store.
The research focused on a new infection wave of the Anatsa (aka TeaBot) banking trojan, a harmful program first identified in 2020 that has evolved into a more dangerous and sophisticated threat.
The latest Anatsa variant has dramatically expanded its reach, now targeting over 831 financial institutions worldwide from the previous count of 650. The malware’s operators have also included new regions like Germany and South Korea, in addition to popular cryptocurrency platforms.
Many of the decoy applications, which were designed to look like harmless document readers, had individually racked up more than 50,000 downloads, demonstrating the wide reach of the campaign.
The malware operators, reportedly, use an app named ‘Document Reader – File Manager’ as a decoy, which only downloads the malicious Anatsa payload after installation to evade Google’s code review.
Further research revealed that the apps downloaded from the official store are initially clean and function as promised. However, once installed, the app quietly downloads the Anatsa malware disguised as a necessary update. By tricking users into enabling Android’s Accessibility Services, the malware can automate its malicious actions.
Once it has control, the malware steals financial information, monitors keystrokes and facilitates fraudulent transactions by displaying fake login pages that mimic the banking or financial apps on a user’s device. When a user tries to log in, the information is sent directly to the attackers.
The malware can also evade security analysis by making its code difficult to read and by checking if it is being run in a testing environment. This includes using Data Encryption Standard (DES) runtime decryption and performing emulation checks to bypass security tools. It uses a corrupted ZIP archive to hide a crucial malicious file, making it difficult for standard analysis tools to detect.
Zscaler’s investigation found that while the majority of malicious apps contained adware, the most frequently found Android malware was Joker, present in almost a quarter of the analysed apps. This type of malware is known for its ability to steal contacts and device information, take screenshots, make calls, and even read and send text messages to subscribe users to premium services without their consent.
A smaller group of apps contained “maskware,” a type of malware that functions as a legitimate app while conducting malicious activities in the background, such as stealing credentials and personal data like location and SMS messages. A Joker malware variant called Harly was also found, which avoids detection during the review process by having its malicious payload hidden deep within the code of an otherwise legitimate-looking app.
As threats like this continue to expand and spread, they pose a growing risk to personal privacy, financial systems, and private companies alike.
“Android users should always verify the permissions that applications request, and ensure that they align with the intended functionality of the application,” the research concludes.
An Expert’s View: Reactive Defences and New Threats
“Zscaler Threat Labs’ discovery is a strong reminder that the security posture of official app stores like the Google Play Store is largely reactive,” said Mayank Kumar, Founding AI Engineer at DeepTempo. He noted that by the time these apps are removed, a vast number of users, in this case 19 million, are already compromised.
Kumar explained that attackers are becoming more creative, using tactics such as embedding their code deep within an app’s core to appear benign during the review process. He cited the Harly variant as an example, noting that it uses layers of obfuscation to bypass security checks.
“With the advent of AI, it will become even easier for threat actors to design the multi-stage payloads and advanced obfuscation needed to defeat the scanning and signature-based detection systems that form the core of app store defences,” he added.
