Overview

• Zscaler identified 77 malicious Android apps on Google Play that collectively amassed over 19 million installs and delivered multiple malware families.
• Anatsa (TeaBot) has expanded to target about 831 banking and cryptocurrency apps worldwide, adding regions such as Germany and South Korea and introducing a keylogger, SMS interception, and overlay phishing to aid fraudulent transactions.
• Attackers used decoy utilities like document readers and file managers as droppers that fetched the payload after installation to bypass store review.
• The latest campaigns employed advanced evasion, including runtime DES-based string decryption, corrupted APK/ZIP obfuscation, emulation and device-model checks, and periodic package and hash rotation.
• Google removed the reported apps from Play Store, Play Protect detections were in place, and users with installed copies are advised to uninstall suspicious apps, review Accessibility permissions, and contact their bank if compromise is suspected; Joker was the most common malware family and Harly variants and widespread adware were also found.