77 malware apps in Google Play Store reach 19 million installations
IT security researchers have discovered numerous Android malware packages in the Play Store. They have been installed 19 million times.
(Image: Skorzewiak/Shutterstock.com)
IT security researchers from Zscaler's ThreadLabz monitor the Google Play Store and analyze malicious apps distributed via it. The malware Anatsa (also known as Teabot), which attacks Android devices and targets financial apps, is a particular focus. The first samples were discovered back in 2020, but the malware has now evolved significantly.
In their analysis, the Zscaler researchers write that Anatsa originally started as a banking Trojan that could steal credentials, perform keylogging and carry out fraudulent transactions. The latest incarnation can now attack 831 financial institutions worldwide. Institutions in Germany and South Korea have also been added – along with cryptocurrency platforms. The delivery of the malicious code has been streamlined by the masterminds by replacing the dynamic loading of Dalvik executable payloads (DEX) from the network with direct installation of the Anatsa malicious code.
Stealth apps with high download numbers
According to Zscaler, many of the stealth apps that carry Anatsa have installation figures of more than 50,000 downloads in the Play Store. Including bycatch, i.e. malware apps with non-Anatsa malware code, the IT researchers came up with 77 apps that were installed well over 19 million times in total. Zscaler has reported these to Google.
Videos by heise
The previous Anatsa campaigns targeted more than 650 financial institutions. The approximately 180 new apps include more than 150 new banking and cryptocurrency apps. Anatsa uses a dropper technique in which the malicious app appears harmless when installed in the Google Play Store. After installation, however, Anatsa downloads malicious code disguised as an update from the command-and-control server. This allows Anatsa to bypass the detection mechanisms in the Play Store and successfully infect devices. The Zscaler team is also analyzing the camouflage mechanisms in more detail. For example, a corrupted archive is used to hide a DEX file that is activated at runtime. Standard ZIP tools cannot analyze the file due to the defect and the malware slips by.
Anatsa leaks credentials by displaying fake log-in pages that it downloads from the command-and-control server. The pages are tailored to the apps of the financial institutions that Anatsa finds on the smartphone.
In their analysis, the Zscaler researchers list four Indicators of Compromise (IOCs). However, a complete list of the 77 malicious apps is missing – after being reported to Google. They are apparently no longer available in the Play Store and have also been automatically removed from smartphones in the Google cosmos using Google Play Protect.
Last year, Zscaler published a status report according to which the company had detected more than 200 malicious apps in the Google Play Store. However, these only amounted to 8 million installations, meaning that this figure has more than doubled.
(dmk)
