The Register

Malware-ridden apps made it into Google’s Play Store, scored 19 million downloads

Cloud security vendor Zscaler says customers of Google’s Play Store have downloaded more than 19 million instances of malware-laden apps that evaded the web giant’s security scans.

Zscaler’s ThreatLabz spotted and reported 77 apps containing malware, many of them purporting to be utilities or personalization tools.

Many contained an updated version of the Anatsa banking trojan, malware that first appeared in 2020. The latest build includes a keylogger for password collection, SMS interception capabilities, and anti-detection tools. Zscaler thinks it’s being used to target 831 financial institutions globally, including both crypto exchanges and regular banks.

What makes the new strain particularly worrisome is its ability to hide in plain sight, as demonstrated by the failure of Google’s malware detection systems. The latest build of Anatsa downloads each new chunk of code with a separate DES key to make detection harder, and alters its name to make it harder for scanners to spot.

“The core payload has been updated to incorporate a new keylogger variant of Anatsa. Additionally, the malware utilizes a well-known Android APK ZIP obfuscator for enhanced evasion. The payload is concealed within a JSON file, which is dynamically dropped at runtime and promptly deleted after being loaded,” Zscaler reported.

“The APK uses a corrupted archive to hide a file, which is deployed during runtime. This archive has invalid compression and encryption flags, making it hard for static analysis tools to detect. Since these tools depend on standard ZIP header checks in Java libraries, they fail to process the application. Despite this, the application will run on standard Android devices.”

Zscaler noted that the software requires users to grant it elevated permissions before it can cause harm, but attackers are hiding it in legitimate-seeming apps to fool users, and the technique is obviously working.

The nastiest malware in Google’s shopfront is still Joker, a strain that has been around since 2020 and shows no sign of disappearing. Joker specializes in harvesting credentials via SMS and was found to be the most common form of malware Zscaler detected, accounting for a quarter of infections.

Infosec researchers and platform providers generally rate app stores operated by third parties as more dangerous than web stores operated by the likes of Google and Apple.

Zscaler finding 77 malware-infested apps in Google Play raises serious questions about the Chocolate Factory’s security procedures.

Google insists it picked up on the flaws and protected against these malware infections before Zscaler issued its report. We asked if responsible disclosure spurred this discovery, but no one has confirmed or denied it.

Apple, despite having a better record than Google in such matters, isn’t immune to such issues.

In April, researchers at Kaspersky found malware, dubbed ComeCome, in Apple’s store. The code was built to drain the crypto wallets of infected users.

But from Zscaler’s findings it appears the bulk of malicious code being spread is for advertising fraud, which is the kind of low-return code script kiddies use when they buy malware-as-a-service from illicit brokers. While this is an annoyance – not least for Google and other ad-based companies – malware like Anatsa is a much bigger deal for users. ®

READ MORE HERE