Just when users thought the Google Play Store was a safe zone, a wave of malicious apps slipped through.
Disguised as harmless utility tools like file managers, photo editors, or personalization apps, these 77 harmful apps accumulated a staggering 19 million installs before detection.
Zscaler’s ThreatLabz team first flagged the threat, exposing the wide reach of these covert threats.
It’s Not Just Adware: Joker and Harly Inside
Most of these apps carried adware that bombarded devices with intrusive pop-ups. But a quarter concealed Joker malware, capable of reading SMS, calling premium numbers, and stealing users’ contact lists. A more advanced variant, Harly, embedded malicious payloads deep in code, making detection much harder.
Researchers labeled this stealthy app behavior as maskware, malware disguised as benign apps performing harmful actions behind the scenes.
Banking Trojan On Google Play Store
The real danger: the Anatsa banking trojan (also known as TeaBot) has dramatically evolved. It no longer relies on remote code injection, instead unpacking malware directly from JSON files and deleting evidence post installation. This version targets more than 831 financial and crypto apps, up from 650 previously, with new victims in countries like Germany and South Korea.
The trojan also uses techniques like DES runtime decryption, malformed APKs, and accessibility abuses to remain undetected and actively capture credentials and inject overlays.
Adding to the urgency, a separate campaign in North America fooled around 50,000 users by posing as a PDF viewer. The trojan employed deceptive overlay messages like “scheduled maintenance” to mask its activities.
Google Play Store Removes Apps, But the Lesson Is Clear
Upon being alerted, Google removed all 77 apps from the Play Store. Play Protect, baked into Android devices, helps shield users by identifying and blocking known threats. Despite this, researchers warn that the Android ecosystem remains undernourished by such sophisticated malware.
Cyber Defense at a Crossroad
The scale and sophistication of these threats are jarring but not surprising. As malware evolves, relying solely on platform review is not enough. Users must:
- Enable Google Play Protect and run regular scans
- Only install apps from trusted developers
- Scrutinize permissions, especially SMS and Accessibility
- Keep apps to a minimum to reduce risk exposure
Android users globally need to be vigilant and take care of their devices, opting to download apps from reputed app developers.