Redazione RHC : 26 August 2025 14:17
Zscaler researchers discovered that 77 malicious Android apps, with a combined total of over 19 million installs, were distributing various malware families in the official Google Play store.
“We identified a sharp increase in the number of malicious advertising apps in the Google Play Store, along with threats such as Joker, Harly, and banking trojans such as Anatsa,” the experts write. “At the same time, there has been a notable decrease in activity from malware families such as Facestealer and Coper.”
Researchers discovered the campaign while investigating a new wave of Anatsa banking Trojan infections (also known as Tea Bot) targeting Android devices.
Although the majority of malicious apps (over 66%) contained adware, the most common threat was Joker, which researchers found in nearly 25% of the analyzed apps. Once installed on the victim’s device, Joker can read and send SMS messages, take screenshots, make calls, steal contact lists, access device information, and subscribe users to services. premium.
A smaller percentage of malicious applications have been found to be disguised as various benign programs (researchers have termed such threats “maskware“). These applications pretend to be legitimate and perform the functions stated in their descriptions, but perform malicious activities in the background.
A variant of the Joker malware called Harly has also been discovered, a legitimate app with a malicious payload hidden deep within its code to avoid detection. In March of this year, Human Security reported that Harly could be hiding in popular apps such as games, wallpapers, flashlights, and photo editors.
Zscaler’s report notes that the latest version of Anatsa Banker is capable of attacking even more banking and cryptocurrency apps, increasing the number from 650 to 831. Therefore, the malware downloads phishing pages and a keylogger module from its command and control server and can now attack users from Germany and South Korea.
The malware authors use an application called Document Reader – File Manager as bait, which downloads Anatsa only after installation to evade Google’s controls. Furthermore, in the new campaign, the attackers have switched from remote dynamic loading of DEX code to direct installation of the malware, unpacking it from JSON files and deleting it.
To avoid static analysis, the Trojan uses corrupted APK archives, DES encryption of strings during execution, and is capable of detecting emulation. Package names and hashes also change periodically. Zscaler analysts report that Google has removed all detected malicious apps from the official store.
Redazione