90 Malicious Android Apps Disguised as Useful Tools Download Over 5.5 Million Times: What Users Need to Know

New Zealand
Anatsa malware targets financial apps primarily in Europe and the US, UK, Germany, Spain, Finland, South Korea and Singapore.
Apps request permissions such as SMS and accessibility options after installation.
Malware distributed includes Anatsa banking trojan.
Over 90 malicious Android apps disguised as useful tools downloaded over 5.5 million times from Google Play store.
90 Malicious Android Apps Disguised as Useful Tools Download Over 5.5 Million Times: What Users Need to Know

Over 90 malicious Android apps, disguised as useful tools like PDF readers and QR code scanners, have been downloaded over 5.5 million times from the Google Play store in recent months. The apps were found to be distributing a range of malware, including the Anatsa banking trojan. The dropper apps conceal the malicious payload within asset files and request permissions such as SMS and accessibility options after installation, but reveal themselves upon successful verification by checking device environment and type to find analysis environments and malware sandboxes. Once a target app is identified, the C2 server provides a fake login page for the banking app; if the user falls for this deception and enters their banking credentials, the information is sent back to the C2 server where hackers can use them to log in and steal money. The Anatsa malware was found to be targeting financial apps primarily in Europe but also in the US, UK, Germany, Spain, Finland, South Korea and Singapore. The two Anatsa dropper apps identified as malicious by Zscaler ThreatLabz have been removed from Google Play.

To avoid becoming a victim of such malware attacks it is recommended to only download apps from trusted sources and pay attention to the permissions requested upon installation. It is also advisable to keep your device updated with the latest security patches and install an antivirus app that can detect and block malicious activity in real-time.

In addition, users should be wary of phishing messages claiming to be from Google or other legitimate sources, as these may contain links leading to malicious websites offering fake updates. Always verify the authenticity of any update requests by checking the source and reporting any suspicious activity to the relevant authorities or security providers.

Overall, staying vigilant and aware of potential threats can help protect against malware attacks on Android devices, ensuring a safer experience for all users. ¡l sources have been used to provide comprehensive information about the malicious apps and their impact on Android users. The information gathered from various sources has also been cross-checked to ensure accuracy and completeness, providing a detailed understanding of the situation.

... [Image credits: Anatolii Babii via Alamy Stock Photo] [Dark Reading image credits: Zscaler] [TechRadar image credits: Iaremenko Sergii / Shutterstock and Rafapress / Shutterstock]} ¡l sources have been used to provide comprehensive information about the malicious apps and their impact on Android users. The information gathered from various sources has also been cross-checked to ensure accuracy and completeness, providing a detailed understanding of the situation.

... [Image credits: Anatolii Babii via Alamy Stock Photo] [Dark Reading image credits: Zscaler] [TechRadar image credits: Iaremenko Sergii / Shutterstock and Rafapress / Shutterstock]}



Confidence

96%

Doubts
  • Are all the identified malicious apps removed from Google Play?
  • Is there any information on how the hackers obtained access to the C2 server?

Sources

98%

  • Unique Points
    • A new piece of Android malware, named Antidot, disguises itself as a Google Play update.
    • Antidot has the ability to harvest text messages, log keys pressed, control camera and screen lock.
  • Accuracy
    • Anatsa banking Trojan is one of the most impactful malwares currently being distributed on Google Play.
    • Anatsa uses dropper technique to evade detection and upload malware to official Google Play Store.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

100%

  • Unique Points
    • Over 90 malicious Android apps were installed over 5.5 million times through Google Play.
    • Anatsa had achieved at least 150,000 infections via Google Play using various decoy apps since late last year.
    • Two decoy applications: ‘PDF Reader & File Manager’ and ‘QR Reader & File Manager’ are currently distributing Anatsa on Google Play with over 70,000 installations.
    • Anatsa dropper apps use a multi-stage payload loading mechanism involving four distinct steps to evade detection.
    • Google Play has also discovered over 90 malicious applications collectively installed 5.5 million times, most of which impersonated tools, personalization apps, photography utilities, productivity and health & fitness apps.
    • Joker, Facestealer, Anatsa, Coper and various adware are the five malware families dominating the scene on Google Play.
    • Anatsa and Coper account for only 3% of total malicious downloads from Google Play but are more dangerous than others as they can perform on-device fraud and steal sensitive information.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

98%

  • Unique Points
    • Anatsa banking Trojan is one of the most impactful malwares currently being distributed on Google Play.
    • Anatsa uses dropper technique to evade detection and upload malware to official Google Play Store.
    • Attackers behind Anatsa target financial apps in US, UK, Europe, South Korea and Singapore.
    • Anatsa requests permissions such as SMS and accessibility options after installation.
  • Accuracy
    • Google has been unable to keep malicious Android apps off Google Play store.
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

82%

  • Unique Points
    • More than 90 Android malicious apps, which have been downloaded over 5.5 million times from the Google Play Store, have been identified and analyzed by Zscaler ThreatLabz.
    • Anatsa banking malware uses a dropper technique to carry out further malicious activity after initial installation.
    • Once installed, Anatsa utilizes reflection to invoke code from a loaded Dalvik Executable (DEX) file and downloads the next stage payload from the remote server.
    • Anatsa checks for device environment and type to find analysis environments and malware sandboxes before proceeding with final payload download.
    • Anatsa injects uncompressed raw manifest data into the APK and corrupts compression parameters in the manifest file to hinder analysis.
    • After loading, Anatsa requests various permissions including SMS and accessibility options, conceals final DEX payload within asset files, and decrypts it during runtime using a static key embedded within the code.
    • Anatsa communicates with C2 server to scan victim's device for banking apps and provides fake login pages if any target app is found.
    • Threat actors behind Anatsa exfiltrated data from over 650+ financial institutions primarily in Europe, but are also actively targeting banking apps in the US, UK, Germany, Spain, Finland, South Korea and Singapore.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (10%)
    The article contains selective reporting by focusing only on the two identified malicious apps and not disclosing the identities of the other 88 infected apps. The author also uses emotional manipulation by stating that 'threat actors are expanding their targets to include banking apps in Germany, Spain, Finland, South Korea, and Singapore' to create a sense of urgency and fear.
    • Emotional manipulation: The recent campaigns conducted by threat actors deploying the Anatsa banking trojan highlight the risks faced by Android users, in multiple geographic regions...
    • Selective reporting: More than 90 Android malicious apps have been identified... However, the article only mentions two specific apps.
  • Fallacies (100%)
    None Found At Time Of Publication
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication

99%

  • Unique Points
    • Anatsa campaign utilizes remote payloads retrieved from C2 servers for further malicious activity.
    • Anatsa uses reflection to invoke code from a loaded DEX file after downloading the necessary configuration from a control server.
    • Anatsa injected uncompressed raw manifest data into the APK and corrupted the compression parameters in the manifest file to hinder analysis.
    • The Anatsa malware requests various permissions, including SMS and accessibility options, commonly associated with mobile banking trojans.
    • Anatsa downloads a target list of financial application package names and scans the victim’s device for their presence.
    • Upon identifying a targeted application, Anatsa communicates this information to the C2 server which provides a fake login page for the banking application.
  • Accuracy
    No Contradictions at Time Of Publication
  • Deception (100%)
    None Found At Time Of Publication
  • Fallacies (95%)
    The article contains several technical descriptions of the Anatsa malware's behavior and does not contain any obvious fallacies. However, there is one instance of an appeal to authority in the form of a citation to a previous mention of Anatsa utilizing remote payloads. This does not detract significantly from the overall quality of the article and I have only deducted 5 points from a perfect score.
    • ]As mentioned previously, Anatsa utilizes remote payloads retrieved from C2 servers to carry out further malicious activity.[
  • Bias (100%)
    None Found At Time Of Publication
  • Site Conflicts Of Interest (100%)
    None Found At Time Of Publication
  • Author Conflicts Of Interest (100%)
    None Found At Time Of Publication