SAN JOSE, Calif. — Security researchers are warning that dozens of Android apps with millions of downloads from Google’s official app store were secretly spreading malware that targeted hundreds of banks worldwide.
Zscaler’s ThreatLabz team reported that 77 malicious apps with more than 19 million installs on Google Play delivered different malware strains, including the Anatsa banking trojan, Joker and so-called “maskware.”
Anatsa, also known as TeaBot, was first identified in 2020 and has evolved into a sophisticated threat.
According to Zscaler, the latest version now targets more than 831 financial institutions globally, up from 650, and has expanded into countries such as Germany and South Korea. The company did not release a list of the affected institutions, but did note it also goes after cryptocurrency platforms.
The Masquerade
Zscaler’s researchers said many of the decoy apps masqueraded as document readers and other utilities, some logging more than 50,000 downloads each. One, called “Document Reader – File Manager,” appeared functional but secretly downloaded malware disguised as an update after installation, the company said.
Zscaler explained that once active, Anatsa can trick users into enabling Android’s Accessibility Services, allowing it to steal banking credentials, capture keystrokes and display fake login screens. Stolen information is then funneled to attackers, who can make fraudulent transactions.
The company further warned that the malware is also designed to evade detection, using encryption, code obfuscation and corrupted files to frustrate security tools.
What’s Found Most Frequently
Zscaler said Joker, the most frequently found malware in its review, appeared in nearly a quarter of the infected apps. Joker can steal contacts, take screenshots, send messages and enroll users in premium services without consent. Another threat, Harly, is a Joker variant that hides its malicious code deep inside otherwise legitimate apps.
In its report, the company warns that these campaigns highlight risks even in official app stores.
