Full Report
Seventy-seven malicious Android apps containing different types of malware were found on Google Play after being downloaded more than 19 million times. [...]
Analysis Summary
# Incident Report: Widespread Malicious Android Apps Discovered on Google Play
## Executive Summary
Seventy-seven malicious Android applications, accumulating over 19 million installs, were disseminating various malware families, including Anatsa (Tea Bot) banking trojan, Joker, Harly, and adware, targeting user devices. The primary attack vector involved deceptive apps bypassing Google Play review processes through delayed payload delivery. Google removed all identified malicious applications following discovery and reporting by Zscaler ThreatLabs.
## Incident Details
- Discovery Date: Prior to August 25, 2025 (Discovery reported by Zscaler)
- Incident Date: Ongoing campaign activity detected leading up to discovery (Multiple historical waves mentioned)
- Affected Organization: End-users of the Google Play Store with 19 million + cumulative installs.
- Sector: Technology/Software Distribution (Google Play Store ecosystem)
- Geography: Global (Targeting users including Germany and South Korea specifically mentioned for Anatsa)
## Timeline of Events
### Initial Access
- Date/Time: Varies based on individual app installation dates. (Latest investigations reported August 25, 2025)
- Vector: Google Play Store distribution utilizing deceptive application lures.
- Details: Attackers published 77 applications masquerading as legitimate tools (e.g., 'Document Reader – File Manager', tools, personalization apps). Malicious payloads (like Anatsa) were often downloaded *after* installation to evade initial static review.
### Lateral Movement
- Details: Not explicitly described across devices, but Anatsa utilizes Accessibility permissions to gain extensive privileges on the compromised device post-installation, facilitating data theft. This relates more to privilege escalation and persistence on the endpoint.
### Data Exfiltration/Impact
- Impact: Devices were primarily targeted for banking credential theft (Anatsa), subscription fraud (Joker), general data theft (contacts, screenshots, SMS reading), and potential premium service subscription (Joker).
### Detection & Response
- Detection: Zscaler ThreatLabs discovered the coordinated wave while investigating a new Anatsa infection wave.
- Response: Google was notified and subsequently removed all 77 identified malicious applications from the Play Store.
## Attack Methodology
- Initial Access: Malicious apps distributed via Google Play Store, often using deceptive roles (document readers, tools).
- Persistence: Specific details vary by malware (Joker, Harly, Anatsa), but installation granted device access. Anatsa uses direct payload installation unpacked from JSON files.
- Privilege Escalation: Anatsa abuses Accessibility permissions to auto-grant itself extensive privileges on the device.
- Defense Evasion: Anatsa used malformed APK archives to break static analysis, runtime DES-based string decryption, and emulation detection. Harly hid payloads deep within seemingly legitimate code.
- Credential Access: Anatsa fetches phishing pages targeting over 831 banking/crypto apps; a keylogger module was added for generic data theft. Joker can steal credentials.
- Discovery: Not explicitly stated for the initial stages, but post-compromise, malware seeks sensitive areas (banking/crypto apps).
- Lateral Movement: Not detailed, focusing on single-device compromise.
- Collection: Joker reads SMS, steals contacts, takes screenshots. Anatsa uses keylogging and tailored phishing surfaces.
- Exfiltration: Data is exfiltrated to operator servers upon collection.
- Impact: Financial loss via unauthorized banking access, unauthorized premium subscriptions, data theft, and privacy invasion.
## Impact Assessment
- Financial: Direct loss via unauthorized financial transactions (banking trojans) and premium service subscriptions (Joker).
- Data Breach: Sensitive data including contacts, SMS data, device information, and banking credentials.
- Operational: Disruption involves device degradation and the need for users to manually verify security settings post-incident.
- Reputational: Damage to user trust in the security of the Google Play Store ecosystem.
## Indicators of Compromise
*Due to the nature of this summary focusing on malware families, specific hard IoCs (IPs/Domains) are omitted as they are transient and should be obtained from the security vendor report.*
- Network Indicators: Communication channels utilized by Anatsa/Joker/Harly to receive commands or exfiltrate data (Access via specific C2 infrastructure).
- File Indicators: Malicious APK hashes associated with the 77 removed applications.
- Behavioral Indicators: Apps abusing Accessibility permissions, reading SMS messages, attempting unsolicited premium subscriptions, and initiating keylogging activities.
## Response Actions
- Containment Measures: Google removed all 77 identified malicious applications from the Play Store, preventing further distribution.
- Eradication Steps: Users must manually uninstall the infected applications. In cases of Anatsa infection, users are advised to contact their banks regarding potentially compromised e-banking accounts.
- Recovery Actions: Users should activate Play Protect, exercise caution when granting permissions, and review recent activity on linked financial/premium accounts.
## Lessons Learned
- Zero-Day/N-Day Vulnerabilities remain a threat even within vetted stores; sophisticated evasion techniques (delayed payload loading) successfully bypassed review processes.
- The prevalence of adware remains high, often bundled with more severe malware like Joker and advanced banking trojans like Anatsa.
- The continuous evolution and targeting expansion of banking trojans (Anatsa now targeting 831 apps across new geographies) demand proactive monitoring.
- What could have been done better: Enhanced static and dynamic analysis techniques employed by the distribution platform need to specifically flag applications using JSON/remote loading mechanisms post-installation.
## Recommendations
- **User Action:** Users must keep Android Play Protect active to flag malicious apps. Only grant permissions strictly necessary for an app's primary function.
- **Vetting:** Only download apps from highly reputable publishers, and verify application integrity by reading several user reviews before installation.
- **Monitoring:** For potential Anatsa infections, users must separately engage with their financial institutions to secure potentially compromised e-banking credentials.