77 malicious Android apps managed to infiltrate Google Play, collectively amassing over 19 million downloads before being removed. These apps weren’t just harmless games or utilities—they concealed various types of malware that put millions of users at risk.
The discovery was made by the ThreatLabs team at Zscaler, who uncovered the infiltration while investigating a new campaign involving the Anatsa banking trojan (also known as Tea Bot), designed to steal credentials and financial data from Android devices.
What’s most concerning is that the majority of these apps (over 66%) were loaded with adware, displaying intrusive ads and draining phone resources. But that wasn’t all—experts also detected the infamous Joker malware in nearly one in every four analyzed apps, capable of stealing sensitive data and even subscribing victims to premium services without their consent.
How Do Joker, Anatsa, Harly, and Dangerous Maskware Operate on Android?
Once Joker malware is installed on an Android device, attackers gain near-total control. This virus can read and send SMS messages, take screenshots, make calls, steal contact lists, access phone information, and even subscribe users to premium services without their knowledge.
But Joker wasn’t the only threat. Researchers also found the presence of maskware, a type of malicious app disguised as a regular application. It appears to function normally but secretly steals passwords, banking data, location, SMS messages, and other sensitive information in the background.
In many cases, cybercriminals use it as a backdoor to install even more malware on the device.
During the investigation, a variant of Joker known as Harly was also discovered. It presents itself as a legitimate app but hides deeply embedded malicious code designed to evade Google Play’s security checks.
Read more: New Android Malware Disguises Itself as Russian FSB Antivirus
The Anatsa Banking Trojan Continues to Grow
The Anatsa trojan, also known as TeaBot, keeps evolving and expanding its reach. The latest version has increased its list of targets, now attempting to compromise 831 banking and cryptocurrency apps—up from the 650 it previously attacked. Its goal remains clear: to steal users’ financial credentials and sensitive data.
To achieve this, cybercriminals rely on a decoy app called “Document Reader – File Manager.” While it appears to be a legitimate tool at first glance, once installed, it silently downloads Anatsa’s malicious payload. This technique allows the app to bypass Google Play’s security filters and remain unnoticed until it successfully infects the device.
Anatsa Trojan App on Google Play (Source: Zscaler)
In this new campaign, attackers have shifted their strategy. Previously, they relied on remote dynamic code loading (DEX), but now they’ve opted for a more direct approach: installing the malicious payload directly from the device by decompressing it from JSON files and then erasing any traces.
To avoid detection, they employ several advanced techniques:
-
Malformed APK files designed to confuse static analysis tools.
-
Runtime DES string encryption, which keeps the code hidden until it’s executed.
-
Emulator detection, which disables malicious behavior if the app detects it’s running in a test environment.
Additionally, the attackers regularly change package names and hashes, making it even harder for security systems to detect recurring patterns.
Emulation Detection (Left) and Payload Retrieval (Right)
Read more: How to Defend Against Malware Persistence Techniques with Wazuh
Anatsa and the New Wave of Malicious Apps on Google Play
The Anatsa banking trojan continues to prove just how dangerous it can be. One of its main tactics is abusing Android’s accessibility permissions, allowing it to automatically grant itself elevated privileges within the device.
With this advantage, it downloads phishing pages from its servers targeting over 831 banking and cryptocurrency apps, now extending its reach to countries like Germany and South Korea. Additionally, the latest campaign included a keylogger module capable of recording keystrokes to steal general information.
This isn’t the first time Anatsa has infiltrated Google Play. In July, another campaign was uncovered where the malware disguised itself as a PDF viewer, reaching over 50,000 downloads. Previous incidents include a QR and PDF reader in May 2024 with 70,000 infections, a Phone Cleaner and PDF campaign in February 2024 with 150,000 downloads, and a PDF viewer in March 2023 that reached 30,000 installations.
Wave of Malicious Apps on Google Play
Anatsa wasn’t acting alone in this operation. Most of the 77 malicious apps detected belonged to adware families, followed by Joker, Harly, and various types of maskware. These apps used highly popular categories as bait—such as tools, personalization, entertainment, photography, and design—making them especially risky for users.
Altogether, these malicious apps amassed over 19 million downloads before being removed from the official store. Google took them down after receiving reports, but the damage had already been done for millions of infected devices.
How to Protect Yourself from Anatsa and Other Trojans
To minimize risk, Android users should:
-
Enable Google Play Protect, which helps identify and flag harmful apps.
-
Install only apps from well-known and trusted developers.
-
Read real user reviews and avoid apps with suspicious or overly generic comments.
-
Grant permissions only when absolutely necessary for the app’s core functionality.
If you suspect an Anatsa infection or another banking trojan, it’s recommended to contact your bank or financial institution immediately to protect your credentials and prevent fraud.
