Ethical Hacking News
A recent discovery by Zscaler has revealed that 77 malicious Android apps with over 19 million installs have been removed from the Google Play Store. These apps were found to be delivering multiple malware families to Google Play users, with most of them containing adware components. The Joker malware was also prevalent in almost 25% of the analyzed apps, allowing it to steal sensitive data and perform malicious activity in the background. Read more about this alarming discovery and how Android users can protect themselves from such threats.
Zscaler's ThreatLabs team discovered 77 malicious Android apps with over 19 million installs.The apps delivered multiple malware families, including adware and Joker malware.Malicious apps disguised themselves as legitimate apps (maskware) to steal sensitive data and credentials.A variant of Joker malware called Harly was found, hiding its malicious payload in the code to evade detection.The Anatsa trojan targeted 831 banking and cryptocurrency apps, with a new campaign expanding its targeting scope.Malicious apps used evasion techniques such as malformed APK archives and changing package names and hashes.The campaigns abused Accessibility permissions to auto-grant extensive privileges and fetch phishing pages.Google removed the malicious apps from the Play Store after Zscaler's reporting, but users must remain vigilant.
Malicious Android apps have become a growing concern for smartphone users, and recent data has revealed that thousands of such apps have been removed from the Google Play Store in a single sweep. According to the context provided, Zscaler's ThreatLabs team discovered 77 malicious Android apps with over 19 million installs on their devices, while investigating a new wave of Anatsa (Tea Bot) banking trojan targeting Android devices.
These malicious apps were found to be delivering multiple malware families to Google Play users, with most of them containing adware components. However, the Joker malware was also prevalent in almost 25% of the analyzed apps, allowing it to read and send text messages, take screenshots, make phone calls, and steal contact lists, access device information, and subscribe users to premium services.
One of the most concerning aspects of this malicious app wave is the presence of maskware, which disguises itself as a legitimate app that would not raise any suspicion. However, it performs malicious activity in the background, such as stealing credentials, banking info, or other sensitive data (location, SMS). Cybercriminals can also use maskware to deliver other malware.
Furthermore, Zscaler researchers found a variant of the Joker malware called Harly, which comes as a legitimate app that has a malicious payload hidden deeper in the code to avoid detection during the review process. This type of malware may pose as a popular app that works as advertised but performs malicious activity in the background.
The Anatsa trojan is another major concern, with the latest version having further expanded its targeting scope, increasing the number of banking and cryptocurrency apps to 831, from 650 previously. The malware operators use an app named 'Document Reader – File Manager' as a decoy, which only downloads the malicious Anatsa payload after installation, to evade Google's code review.
The latest campaign has switched from remote DEX dynamic code loading used in the past to direct payload installation, unpacking it from JSON files, and then deleting them. In terms of evasion, it uses malformed APK archives to break static analysis, runtime DES-based string decryption, and emulation detection. Package names and hashes are also periodically changed.
The Anatsa campaign abuses Accessibility permissions on Android to auto-grant itself extensive privileges, fetching phishing pages from its server for over 831 apps, now also covering Germany and South Korea, while a keylogger module has also been added for generic data theft.
This latest Anatsa campaign follows another recent wave discovered by ThreatFabric in July, where the trojan sneaked into Google Play posing as a PDF viewer, achieving over 50,000 downloads. Older Anatsa campaigns include a PDF and QR Code Reader attack in May 2024 that achieved 70,000 infections, a Phone Cleaner and PDF attack in February 2024 that got 150,000 downloads, and another PDF Viewer attack in March 2023 that achieved 30,000 installs.
In addition to the malicious Anatsa apps, Zscaler discovered this time, most were adware families, followed by 'Joker,' 'Harly,' and various maskware. "ThreatLabz identified a sharp rise in adware applications on the Google Play Store alongside malware, such as Joker, Harly, and banking trojans like Anatsa," explained Zscaler researcher Himanshu Sharma. "Conversely, there has been a noticeable decline in malware families such as Facestealer and Coper."
Tools and personalization apps accounted for over half of the lures used to spread those apps, so these two categories, together with entertainment, photography, and design, should be treated as high-risk.
In total, the 77 malicious apps, including those containing Anatsa, were downloaded 19 million times from Google Play. Zscaler reports that Google removed all of the malicious apps they discovered this time from the Play Store following their reporting.
Android users must ensure their Play Protect service is active on their device to flag malicious apps for removal. In the case of Anatsa trojan infections, separate steps need to be taken with the bank to protect potentially compromised e-banking accounts or credentials. To minimize the risk from malware loaders on Google Play, only trust reputable publishers, read at least a couple of user reviews, and only grant permissions that are directly related to the app's core functionality.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Android-Apps-with-19M-Installs-Removed-from-Google-Play-A-Cautionary-Tale-of-Cybersecurity-ehn.shtml
Published: Mon Aug 25 12:10:12 2025 by llama3.2 3B Q4_K_M
