Overview

• Zscaler identified 77 Play Store apps with more than 19 million downloads that seeded adware (66.4%), Joker variants (24.7%), and other loaders including Harly and maskware.
• The Anatsa trojan was delivered through decoy utilities such as “Document Reader – File Manager,” with some lures surpassing 50,000 installs.
• The latest Anatsa build now targets roughly 831 banking and cryptocurrency apps, newly covering Germany and South Korea, and fetches phishing pages to harvest credentials.
• Researchers report a shift from remote DEX loading to direct payload unpacking from JSON files, plus DES-based runtime string decryption, emulation checks, malformed APKs, and rotating package names and hashes.
• Google removed the reported titles after disclosure, and users are urged to keep Play Protect enabled, review permissions carefully, and coordinate with their bank if infection is suspected.