Overview
- Zscaler documented 77 malicious or adware-laden apps and reported them to Google, which pulled the listings and, according to reports, began removing them from enrolled devices via Play Protect.
- Anatsa’s latest campaign expands targeting to 831 financial institutions, including new banks in Germany and South Korea as well as crypto platforms, and steals credentials via tailored fake login pages.
- To evade detection, operators used droppers, runtime-loaded DEX payloads and malformed archives that conceal code until activation from command-and-control servers.
- Other families surfaced in the takedown, with Joker present in at least a quarter of the apps, Harly posing as simple utilities, and adware components found in about two thirds of the identified titles.
- Users who installed affected apps should uninstall them, run antivirus scans and review permissions such as Accessibility, and Computer Bild reports Google plans a developer identity requirement in 2026 to curb abuse.