This week, security research group Zscaler reported they had discovered over 90 malicious Android apps available on the Play Store. The apps had been installed more than 5.5 million times collectively, and many were part of the ongoing Anatsa malware campaign, which has targeted more than 650 apps tied to financial institutions.
As of February of 2024, Anatsa infected at least 150,000 devices via several decoy apps, many of which are marketed as productivity software. While we don’t know the identities of most of the apps involved in this latest attack, we do know about two: PDF Reader & File Manager, as well as QR Reader & File Manager. At the time of Zscaler’s investigation, the two apps had garnered over 70,000 installs between them.
How these malicious apps infect your phone
Despite Google’s review process for apps applying to the Play Store, malware campaigns like Anatsa are sneaky, and can utilize a multi-stage payload loading mechanism to help them evade these reviews. In other words, the app masquerade as legitimate, and only start a stealthy infection once installed on the user’s device.
You might think you’re downloading a PDF reader, but once installed and opened, the “dropper” app will connect to a C2 server and retrieve the configurations and essential strings that it needs. It will then download a DEX file containing the malicious code and activate it on your device. From there, the Anatsa payload URL is downloaded through a configuration file, and that DEX file installs the malware payload, completing the process and infecting your phone.
Luckily, all identified apps have been removed from the Play Store, and their developers have been banned. However, that won’t delete these apps from your smartphone if you downloaded them. If you have either of these two apps on your phone, uninstall them immediately. You should also change the passcodes of any banking apps that you might have used on your phone to avoid your accounts being accessed by the threat actors behind Anatsa.
How to avoid malware apps
While malicious developers can be tricky with their attacks, there are some tips you can follow to determine if an app on the Play Store is legitimate. The first is to really pay attention to the app’s listing: Look at its name, the description, and its images: Does everything match with the service the developers are advertising? Is the copy well written, or is it riddled with mistakes? The less professional the page appears, the more likely it is to be a fake.
Only download apps from publishers you can trust. This is especially true if you’re downloading a popular app, as malware apps sometimes impersonate high-profile apps on phones and other devices. Double-check the developer behind the app to make sure they’re who they purport to be.
You should also check the requirements and permissions that the app asks for. Anything that asks for accessibility should usually be avoided, as this is one of the main ways that malware groups bypass the security parameters placed on many newer devices. Other permissions to look out for include apps asking for access to your contact list and SMS. If a PDF reader wants your contacts, that’s a big red flag.
Read through the reviews for the app, as well. Watch out for apps that don’t have many ratings, or ones where all the reviews seem suspiciously positive.
The app’s support email address can also be telling. Many malware apps will have a random Gmail account (or other free email account) tied to their support email. While not every app will have a professional email listed for support, you can usually tell if something might be sketchy based on the information that the group provides.
Unfortunately, there’s no surefire way to avoid malware apps unless you don’t install apps at all. But, if you’re mindful of the apps that you’re installing and pay attention to the permissions, developer, and other important information, you can usually pick up on whether or not an app is sketchy.