Remove These Recently Uncovered Malicious Apps from Your Android Device

This week, security research group Zscaler reported the discovery of over 90 malicious Android apps available on the Play Store. These apps, collectively installed more than 5.5 million times, were part of the ongoing Anatsa malware campaign targeting over 650 financial institution-related apps.

As of February 2024, Anatsa had infected at least 150,000 devices through various decoy apps, many disguised as productivity software. While the identities of most of the apps involved in this latest attack are unknown, two have been identified: PDF Reader & File Manager and QR Reader & File Manager. At the time of Zscaler’s investigation, these apps had over 70,000 installs combined.

How These Malicious Apps Infect Your Phone

Despite Google’s app review process for the Play Store, malware campaigns like Anatsa employ a multi-stage payload loading mechanism to evade detection. These apps appear legitimate and only begin the infection process once installed on a user’s device.

For example, you might download a seemingly harmless PDF reader. Once installed and opened, the app, acting as a “dropper,” connects to a command-and-control (C2) server to retrieve necessary configurations and strings. It then downloads a DEX file containing the malicious code, which activates on your device. The final step involves downloading the Anatsa payload URL through a configuration file, installing the malware, and completing the infection process.

Fortunately, all identified apps have been removed from the Play Store, and their developers have been banned. However, if you downloaded any of these apps, they won’t be automatically removed from your device. If you have either of these two apps on your phone, uninstall them immediately. Additionally, change the passcodes of any banking apps you’ve used on your phone to prevent unauthorized access by the Anatsa threat actors.

How to Avoid Malware Apps

While malicious developers can be crafty, you can follow some tips to determine if an app on the Play Store is legitimate:

1. Scrutinize the App Listing: Examine the app’s name, description, and images. Do they align with the advertised service? Is the text professionally written, or filled with errors? A poorly presented page can indicate a fake app.
2. Trustworthy Publishers: Only download apps from reputable publishers. This is crucial for popular apps, as malware can impersonate high-profile apps. Verify the developer’s authenticity.
3. Check Requirements and Permissions: Avoid apps requesting unnecessary permissions, especially those asking for accessibility access, contact lists, or SMS. For instance, a PDF reader shouldn’t need access to your contacts.
4. Review Ratings and Comments: Be wary of apps with few ratings or overwhelmingly positive reviews that seem suspicious.
5. Support Email Address: Legitimate apps often have professional support email addresses, unlike many malware apps that use random Gmail accounts or other free email services.

While there’s no foolproof way to avoid malware apps entirely unless you refrain from installing any apps, being mindful of what you install and paying attention to permissions, developer information, and other details can help you identify and avoid sketchy apps.