This week, security research group Zscaler reported that it had discovered more than 90 malicious Android apps in the Play Store. These applications have been installed a total of more than 5.5 million times, many of which are part of the ongoing Anatsa malware campaign, which targets more than 650 applications related to financial institutions.
As of February 2024, Anatsa infected at least 150,000 devices via multiple decoy apps, many of which were marketed as productivity software. While we don't know the identities of most of the apps involved in this latest attack, we do know about two of them: PDF Reader and File Manager, and QR Reader and File Manager. As of the time of Zscaler's investigation, the two apps had been installed more than 70,000 times.
How these malicious apps infect your phone
Although Google has a review process for apps used on the Play Store, malware campaigns like Anatsa are cunning and can utilize multi-stage payload loading mechanisms to help them evade these reviews. In other words, the app disguises itself as a legitimate app and starts the covert infection only after it is installed on the user's device.
You may think you are downloading a PDF reader, but once installed and opened, the "dropper" application will connect to the C2 server and retrieve the configuration and basic strings it requires. It then downloads the DEX file containing the malicious code and activates it on your device. From there, the Anatsa payload URL is downloaded via the configuration file, and the DEX file installs the malware payload, completing the process and infecting your phone.
Fortunately, all identified apps have been removed from the Play Store and their developers have been banned. However, if you download these apps, they will not be deleted from your smartphone. If you have either of these apps on your phone, uninstall them immediately. You should also change your passwords for any banking apps you may be using on your phone to avoid having your accounts accessed by the threat actors behind Anatsa.
How to avoid malware apps
While attacks from malicious developers can be tricky, there are some tips you can follow to determine if an app on the Play Store is legitimate. The first is to really focus on the list of apps: look at their names, descriptions and images: does everything match the services advertised by the developers? Is the copy well written or is it full of errors? The less professional the page looks, the more likely it is fake.
Only download apps from publishers you trust. This is especially true if you downloaded a popular app, as malware apps can sometimes impersonate well-known apps on phones and other devices. Double-check the developers behind the apps to make sure they are who they claim to be.
You should also check the requirements and permissions required by the application. Anything that requires accessibility should generally be avoided, as this is one of the main ways malware groups bypass security parameters on many newer devices. Other permissions to be aware of include apps asking for access to your contact list and text messages. If a PDF reader wants your contact information, that's a big red flag.
Also read the reviews of this app. Keep an eye out for apps that don't have many ratings, or that have positive reviews where all the reviews seem questionable.
The app's support email address can also be telling. Many malware applications will have a random Gmail account (or other free email account) tied to their support email. While not every app will list a professional support email, you can usually tell if something is sketchy based on the information the group provides.
Unfortunately, there's no foolproof way to avoid malware apps unless you don't install the app at all. However, you can usually spot if an app is sketchy if you keep an eye on the apps you're installing and pay attention to permissions, developers, and other important information.
