Google Play Store: Malware in 90 apps with 5.5 million installations

IT researchers have discovered the widespread distribution of Anatsa malware. It is found in more than 90 apps on Google Play with 5.5 million downloads.

Save to Pocket listen Print view
Stilisierte Grafik: zersplittertes Google Play Store Logo, aus dem Viren kommen

(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)

3 min. read

The IT security experts at ZScaler ThreatLabz have discovered and analyzed more than 90 malicious apps in the Google Play Store in recent months. In total, the malware-infected apps amounted to more than 5.5 million installations.

In their analysis, the IT analysts write that they have discovered an increase in instances of the Anatsa malware, also known as TeaBot. The advanced malware uses real apps as dropper components that look harmless to users. This allows the criminal masterminds to slip the malicious payload to victims unnoticed. Anatsa is essentially a banking Trojan that collects and exfiltrates sensitive banking credentials and financial information from global financial apps.

The malware uses overlay and accessibility techniques to intercept and collect this data unnoticed. PDF and QR code reader apps in particular have been enhanced with the malware by the criminal masterminds, ZScaler explains in its analysis.

But the malware is also disguised as tools such as file managers, editors or translators. The malware programmers use various techniques to avoid detection and analysis. For example, the code checks whether it is running in virtual environments or emulators. In addition, the ZIP headers of the .apk installation files are modified so that a static analysis of the malware does not work.

At the end of the analysis, the ZScaler forensic experts add Indicators of Compromise (IOCs). However, only from four of the more than 90 apps. The package names are com.appandutilitytools.fileqrutility, N/A(hanihani), com.nfctnofxy.tmzcwkcjd or com.ultimatefilesviewer.filemanagerwithpdfsupport. Google has apparently removed the files from the Play Store - the apps listed can no longer be found there.

At the end of February, IT forensics experts from Threatfabric had already warned of malware campaigns with the Bankiong Trojan Anatsa. At that time, there were more than 100,000 installations within four months - just a slight foretaste of what is happening now. The IT researchers counted five apps there, with six dropper apps on 130,000 infected devices in the first half of 2023.

Google is working on improving its detections. Around a month ago, the company reported that it had removed around 2.3 million malicious apps from the Play Store in 2023. AI in the form of machine learning is also helping with this.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.