Over 90 Malicious Google Play Apps Are Actively Spreading Malware

Dozens of malware-infested apps have turned the Google Play store into a minefield, according to security experts. With more than 5.5 million downloads total, the apps—which appear at first glance to be perfectly mundane bits of software—have allowed threat actors to access Android users’ banking credentials and other sensitive data.
Researchers at the cloud security company Zscaler say the apps are increasingly hiding Anatsa, a Trojan also known as TeaBot. Disguised as productivity apps—including file managers, translators, and QR code readers—the Trojan weasels its way onto unwitting users’ mobile devices, then downloads malicious code or staged payloads from a command-and-control (C2) server in what looks to the user like an innocent software update. 
These payloads check the device environment and pull an Anatsa Android package kit (APK) from a remote server. Once the APK is loaded, the floodgates open, and Anatsa requests permissions across the device’s various functionalities. These permissions are used to check the victim’s device against a list of potential banking-related targets. If there’s a match, Anatsa will supply a fake login page upon that target’s next launch. For instance, if Chase Bank is on the target list and the victim has the Chase banking app installed on their phone, they’ll see a fake login page the next time they open that app. This page steals the victim’s credentials and returns them to the Anatsa threat actors. 
Because Anatsa’s payloads aren’t hidden within the apps themselves, the apps can be advertised and distributed via the Google Play store, which facilitates more downloads than a third-party website or app store would. This higher download count perpetuates a positive feedback loop: Because users often associate popularity with reliable software, they’re more likely to download an app with tens of thousands of downloads. Sure enough, the researchers at Zscaler found that each Anatsa-hiding app boasted about 70,000 installs. 
While Anatsa is the fastest-growing malware targeting Android users, it reportedly comprises just 2.1% of Google Play attacks. Joker and Facestealer, which are used to gain access to victims’ social media accounts, SMS messages, and more, make up more than half of the attacks promoted via the Google Play store. These vulnerabilities are most commonly conveyed via “tool” apps, like QR code and PDF readers, as well as photography and personalization apps.
ExtremeTech supports Group Black and its mission to increase greater diversity in media voices and media ownerships.
© 2001-2024 Ziff Davis, LLC., a Ziff Davis company. All Rights Reserved.
ExtremeTech is a federally registered trademark of Ziff Davis, LLC and may not be used by third parties without explicit permission. The display of third-party trademarks and trade names on this site does not necessarily indicate any affiliation or the endorsement of ExtremeTech. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.

source