Google has deleted millions of apps from Play Store as Android changes beyond recognition. There’s a clampdown on installing apps from outside the official store, and trivial apps on the Play Store itself are now being rooted out. And that’s just happened again, with a new warning that a hidden threat is attacking Android phones.
That warning comes from Zscaler. It’s Anatsa malware again, which “attacks Android devices and targets financial applications.” Also known as TeaBot, this nasty threat “steals credentials, monitors keystrokes, and facilitates fraudulent transactions.”
Zscaler’s ThreatLabz team says “the latest variant of Anatsa targets over 831 financial institutions worldwide,” and it has “identified and reported 77 malicious apps from various malware families to Google, collectively accounting for over 19 million installs.”
Google tells me all apps identified by Zscaler have been deleted from Play Store, and “protection against these malware versions was already in place through Google Play Protect prior to this report. Based on our current detection, no apps containing these versions of this malware are found on Google Play.”
As long as Google Play Protect is enabled, which should be on by default, “Android users are automatically protected against known versions of this malware.” You also need to delete any of the trivial apps on your device that are no longer available on Play Store. As far as Anatsa is concerned, pay particular attention to document readers.
Zscaler explains that “Anatsa uses a dropper technique, where the threat actors use a decoy application in the official Google Play Store that appears benign upon installation. Once installed, Anatsa silently downloads a malicious payload disguised as an update from its command-and-control (C2) server. This approach allows Anatsa to bypass Google Play Store detection mechanisms and successfully infect devices.”
When you install the dropper, the malware will run a set of checks to help it evade analyst machines or security software. It does its best to ensure it has a clear run on a device before loading the malicious malware itself.
Anatsa displays fake login pages for banking apps for the hundreds of banks targeted. “These pages are tailored based on the financial institution applications detected on the user’s device.” Those credentials are then stolen enabling remote attacks.
Anatsa is just one of the malware threats identified by Zscaler and reported to Google. All apps reported have been deleted, but that doesn’t mean they’re no longer on your phone, which is why you must act now to check.
One easy way is to start with permissions, especially accessibility services, to identify likely threats. “Android users should always verify the permissions that applications request, and ensure that they align with the intended functionality of the application.”