Remove These Newly Discovered Malicious Apps From Your Android Device
This week , security research group Zscaler said it had identified more than 90 malicious Android apps available on the Play Store. In total, the apps were installed more than 5.5 million times, and many of them were part of the ongoing Anatsa malware campaign targeting more than 650 apps associated with financial institutions.
As of February 2024, Anatsa has infected at least 150,000 devices using several decoy apps, many of which are sold as productivity software. While we don’t know the identities of most of the apps involved in this latest attack, we know of two: PDF Reader & File Manager, and QR Reader & File Manager. At the time of Zscaler’s investigation, both apps had received more than 70,000 installs.
How These Malicious Apps Infect Your Phone
Despite Google’s review process for apps submitted to the Play Store, malware campaigns like Anatsa are cunning and can use a multi-step payload download mechanism to help them evade these checks. In other words, the application disguises itself as a legitimate one and launches a hidden infection only after installation on the user’s device.
You may think you’re downloading a PDF reader, but once installed and opened, the dropper app will connect to the C2 server and get the configurations it needs and the strings it needs. It will then download a DEX file containing malicious code and activate it on your device. From there, the Anatsa payload URL is downloaded through a configuration file and this DEX file installs the malware payload, ending the process and infecting your phone.
Fortunately, all identified applications have been removed from the Play Store and their developers banned. However, this will not remove these apps from your smartphone if you have downloaded them. If you have either of these two apps installed on your phone, uninstall them immediately. You should also change the passwords of any banking apps you might be using on your phone to avoid the attackers behind Anatsa from accessing your accounts.
How to Avoid Malicious Apps
While malicious developers can be sneaky in their attacks, there are a few tips you can follow to determine if an app on the Play Store is legitimate. First, pay attention to the list of applications: look at its name, description and images: does everything correspond to the service that the developers advertise? Is the text well written or riddled with errors? The less professional the page looks, the more likely it is to be a fake.
Only download apps from publishers you can trust. This is especially true if you download a popular app, as malicious apps sometimes pretend to be high-profile apps on phones and other devices. Double check the app developer to make sure they are who they say they are.
You should also check the requirements and permissions that the application requests. You should generally avoid anything that requires accessibility, as this is one of the main ways that malware groups bypass the security settings set on many new devices. Other permissions to look out for include apps that request access to your contacts list and SMS. If the PDF reader wants your contacts, that’s a big red flag.
Also read reviews about the app. Be wary of apps that have few ratings or ones where all the reviews seem suspiciously positive.
The application’s support email address may also be important. Many malicious apps will have a random Gmail account (or other free email account) tied to their support email. While not every app comes with a professional support email address, you can usually tell if something is wrong based on the information the team provides.
Unfortunately, there is no reliable way to avoid malicious apps if you don’t install the apps at all. But if you’re careful about the apps you install and pay attention to permissions, developer information, and other important information, you can usually tell whether an app is sketchy or not.