Malware-ridden apps made it into Google's Play Store, scored 19 million downloads
(2025/08/26)
- Reference: 1756193472
- News link: https://www.theregister.co.uk/2025/08/26/apps_android_malware/
- Source link:
Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans.
Zscaler’s ThreatLabz [1]spotted and reported 77 apps containing malware, many of them purporting to be utilities or personalization tools.
Many contained an updated version of the Anatsa banking trojan, malware that first appeared in 2020. The latest build includes a keylogger for password collection, SMS interception capabilities, and anti-detection tools. Zscaler thinks it’s being used to target 831 financial institutions globally, including both crypto exchanges and regular banks.
[2]
What makes the new strain particularly worrisome is its ability to hide in plain sight, as demonstrated by the failure of Google's malware detection systems. The latest build of Anatsa downloads each new chunk of code with a separate DES key to make detection harder, and alters its name to make it harder for scanners to spot.
[3]
[4]
"The core payload has been updated to incorporate a new keylogger variant of Anatsa. Additionally, the malware utilizes a well-known Android APK ZIP obfuscator for enhanced evasion. The payload is concealed within a JSON file, which is dynamically dropped at runtime and promptly deleted after being loaded," Zscaler reported.
"The APK uses a corrupted archive to hide a file, which is deployed during runtime. This archive has invalid compression and encryption flags, making it hard for static analysis tools to detect. Since these tools depend on standard ZIP header checks in Java libraries, they fail to process the application. Despite this, the application will run on standard Android devices."
[5]
Zscaler noted that the software requires users to grant it elevated permissions before it can cause harm, but attackers are hiding it in legitimate-seeming apps to fool users, and the technique is obviously working.
The nastiest malware in Google's shopfront is still Joker, a strain that has [6]been around since 2020 and shows no sign of disappearing. Joker specializes in harvesting credentials via SMS and was found to be the most common form of malware Zscaler detected, accounting for a quarter of infections.
Infosec researchers and platform providers generally rate app stores operated by third parties as more dangerous than web stores operated by the likes of Google and Apple.
[7]
Zscaler finding 77 malware-infested apps in Google Play raises serious questions about the Chocolate Factory’s security procedures.
Google insists it picked up on the flaws and protected against these malware infections before Zscaler issued its report. We asked if responsible disclosure spurred this discovery, but no one has confirmed or denied it.
[8]More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research
[9]Google pulls malware-infected apps in its Store, over 3 million users at risk
[10]Apple missed screenshot-snooping malware in code that made it into the App Store, Kaspersky claims
[11]Apple missed screenshot-snooping malware in code that made it into the App Store, Kaspersky claims
Apple, despite having a better record than Google in such matters, isn't immune to such issues.
In April, researchers at Kaspersky found malware, [12]dubbed ComeCome, in Apple's store. The code was built to drain the crypto wallets of infected users.
But from Zscaler's findings it appears the bulk of malicious code being spread is for advertising fraud, which is the kind of low-return code script kiddies use when they buy malware-as-a-service from illicit brokers. While this is an annoyance - not least for Google and other ad-based companies – malware like Anatsa is a much bigger deal for users. ®
Get our [13]Tech Resources
[1] https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2020/03/06/1_billion_vulnerable_android_devices_which/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2020/03/06/1_billion_vulnerable_android_devices_which/
[9] https://www.theregister.com/2022/07/19/google_malware_apps/
[10] https://www.theregister.com/2025/02/07/infected_apps_google_apple_stores/
[11] https://www.theregister.com/2025/02/07/infected_apps_google_apple_stores/
[12] https://www.theregister.com/2025/02/07/infected_apps_google_apple_stores/
[13] https://whitepapers.theregister.com/
Zscaler’s ThreatLabz [1]spotted and reported 77 apps containing malware, many of them purporting to be utilities or personalization tools.
Many contained an updated version of the Anatsa banking trojan, malware that first appeared in 2020. The latest build includes a keylogger for password collection, SMS interception capabilities, and anti-detection tools. Zscaler thinks it’s being used to target 831 financial institutions globally, including both crypto exchanges and regular banks.
[2]
What makes the new strain particularly worrisome is its ability to hide in plain sight, as demonstrated by the failure of Google's malware detection systems. The latest build of Anatsa downloads each new chunk of code with a separate DES key to make detection harder, and alters its name to make it harder for scanners to spot.
[3]
[4]
"The core payload has been updated to incorporate a new keylogger variant of Anatsa. Additionally, the malware utilizes a well-known Android APK ZIP obfuscator for enhanced evasion. The payload is concealed within a JSON file, which is dynamically dropped at runtime and promptly deleted after being loaded," Zscaler reported.
"The APK uses a corrupted archive to hide a file, which is deployed during runtime. This archive has invalid compression and encryption flags, making it hard for static analysis tools to detect. Since these tools depend on standard ZIP header checks in Java libraries, they fail to process the application. Despite this, the application will run on standard Android devices."
[5]
Zscaler noted that the software requires users to grant it elevated permissions before it can cause harm, but attackers are hiding it in legitimate-seeming apps to fool users, and the technique is obviously working.
The nastiest malware in Google's shopfront is still Joker, a strain that has [6]been around since 2020 and shows no sign of disappearing. Joker specializes in harvesting credentials via SMS and was found to be the most common form of malware Zscaler detected, accounting for a quarter of infections.
Infosec researchers and platform providers generally rate app stores operated by third parties as more dangerous than web stores operated by the likes of Google and Apple.
[7]
Zscaler finding 77 malware-infested apps in Google Play raises serious questions about the Chocolate Factory’s security procedures.
Google insists it picked up on the flaws and protected against these malware infections before Zscaler issued its report. We asked if responsible disclosure spurred this discovery, but no one has confirmed or denied it.
[8]More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates – research
[9]Google pulls malware-infected apps in its Store, over 3 million users at risk
[10]Apple missed screenshot-snooping malware in code that made it into the App Store, Kaspersky claims
[11]Apple missed screenshot-snooping malware in code that made it into the App Store, Kaspersky claims
Apple, despite having a better record than Google in such matters, isn't immune to such issues.
In April, researchers at Kaspersky found malware, [12]dubbed ComeCome, in Apple's store. The code was built to drain the crypto wallets of infected users.
But from Zscaler's findings it appears the bulk of malicious code being spread is for advertising fraud, which is the kind of low-return code script kiddies use when they buy malware-as-a-service from illicit brokers. While this is an annoyance - not least for Google and other ad-based companies – malware like Anatsa is a much bigger deal for users. ®
Get our [13]Tech Resources
[1] https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2020/03/06/1_billion_vulnerable_android_devices_which/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aK2FvYc6XxRy2hSBY0ubBQAAAMk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2020/03/06/1_billion_vulnerable_android_devices_which/
[9] https://www.theregister.com/2022/07/19/google_malware_apps/
[10] https://www.theregister.com/2025/02/07/infected_apps_google_apple_stores/
[11] https://www.theregister.com/2025/02/07/infected_apps_google_apple_stores/
[12] https://www.theregister.com/2025/02/07/infected_apps_google_apple_stores/
[13] https://whitepapers.theregister.com/
Re: Yay, this is why I love "smartphones".
Mentat74
Yup.. got harased by my bank to use their 'app' but I don't have a smartphone... flat out refused to use one for banking...
So they gave me one of those e-identifiers... works offline and can't be hacked...
Re: Yay, this is why I love "smartphones".
PCScreenOnly
Yup a phone with an out of date OS that is easily compromised- banking apps = fine
phone with an updated OS and should be more secure = nope
Re: Yay, this is why I love "smartphones".
elsergiovolador
Regulators should look into it. It's funny that you can't access the app due to "security", but you can login perfectly fine and do whatever through web browser.
Simon
It would be nice to know how to check for any apps they found, if nothing else a list of them would be nice.
Data Sanitization 101
Craig 2
"The APK uses a corrupted archive to hide a file.... has invalid compression and encryption flags"
NEVER accepting corrupted and invalid data is the number one thing you learn in coding.... If it can't be scanned - black flagged.
Oh.....and the Apple Store.....
Anonymous Coward
.....has many (eight?) VPN apps which are owned by the Chinese!!!!!
Interesting these days, since VPNs seem to be increasingly popular!!
Link: https://www.techtransparencyproject.org/articles/spot-check-apple-and-google-still-have-a-chinese-vpn-problem
Doctor Syntax
I treat such devices as being untrustworthy so don't link to la bank account and don't install banking apps.
Yay, this is why I love "smartphones".
Total lack of control, unless you choose to install an actually free version of a mobile OS. Which is somewhat limited.
For > 99% this means: Lack of control, enforced blind trust. And you cannot avoid it, since even banking 2FA moved to "App" to prevent any mechanism of control by users, including some denying to work on a free android version. Does the "App" (i.e. newspeak for program) communicate encrypted? Does it use newer encryption or just ROT13? You cannot check, you cannot see the ports used, and unless you have your special WLAN sniffer (including faking a normal 4G or 5G AP) you are doomed.
Apple and Google says that they "control and check" -> No, not enough, proven again and again. Reason: Only $ matters.