In the latest reminder that you should always be extra careful about what you download, cloud security company Zscaler revealed this week that its researchers identified and analyzed more than 90 malicious Android apps on the Google Play store in recent months. So far, the Android malware apps have been installed over 5.5 million times.
As Zscaler explains, Anatsa malware (a.k.a. TeaBot) has been spreading rapidly. Anatsa is an especially dangerous banking malware that appears harmless when the user first installs it but later downloads malicious code or a command-and-control server disguised as an app update. This allows the malware to evade detection on the Android app store.
In other words, the apps aren’t initially malicious. Two examples Zscaler provided, PDF Reader & File Manager and QR Reader & File Manager, will not immediately infect your phone. Instead, they lull you into a false sense of security and then deliver their second-stage payload, which is disguised as a legitimate application update.
Once the malware successfully infects the device and begins communication with the C2 server, it scans the user’s device to detect any installed banking apps. If it finds any, it sends that information to the C2 server, which then sends back a fake login page for the detected apps. If you fall for this trick and enter your login information, it will be sent back to the server, at which point hackers can use it to log in to your banking apps and steal your money.
Zscaler researchers say that Anatsa primarily targets apps from financial institutions in the UK, there have also been victims in the US, Germany, Spain, Finland, South Korea, and Singapore. No matter where you live, you need to be wary of the dangers.
“The recent campaigns conducted by threat actors deploying the Anatsa banking trojan highlight the risks faced by Android users, in multiple geographic regions, who downloaded these malicious applications from the Google Play store,” Zscaler says.
Although the researchers didn’t share the identities of the Android apps infected with malware on the Google Play store, both of the apps shared in the example above are no longer available. Presumably, Zscaler has alerted Google to the others.
UPDATE | 5/30: A Google spokesperson reached out with the following comment: “All of the identified malicious apps have been removed from Google Play. Google Play Protect also protects users by automatically removing or disabling apps known to contain this malware on Android devices with Google Play Services.”