Watch Out for These Malicious Apps on Android

Malware on the Play Store is back. Google seems to have more issues with malicious software on its app marketplace than Apple, though both companies have struggled with the issue over the years.

The latest issue concerns a banking trojan called “Anatsa,” which, according to Bleeping Computer, is currently targeting Android users in Europe, specifically in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic. In fact, researchers at ThreadFabric reported at least 150,000 infections on Anatsa on Android devices since November 2023.

Hackers design trojan apps that will be popular enough to end up on the “Top New Free” pages on the Play Store. This, of course, increases the number of users who download these “dropper” apps, which, when installed, roll out their attacks in multi-staged infection steps. They’re able to sneak past security features Google added with Android 13 by abusing Accessibility Service.

How do Anatsa dropper apps work?

This round of Anatsa malware apps disguise themselves as PDF and cleaner apps, the latter of which advertises as a way to clear space off your Android phone.

When you install an Anasta app on your device, it asks you to enable a “hibernate battery-draining apps” feature, claiming the setting will save your battery by disabling certain power-hungry apps in the background. Unfortunately, this feature is actually designed to gain access to Accessibility Service. Without your knowledge, enabling this setting leads the Anatsa app right to the vulnerability to exploit on your device.

On set up, the app downloads a malicious code in a four-part process. It starts by downloading only the essentials part of the malware to hide itself from your phone’s security features. Next, it downloads a DEX file, which contains the code necessary for installing the payload (active malware). Following that, it downloads a configuration file with the link for the payload itself. Finally, the app downloads and launches the malware. Your phone is now infected.

Which apps are involved?

At this time, Google has removed all five identified apps. However, if you downloaded any on your Android phone, delete them ASAP:

Phone Cleaner – File Explorer
PDF Viewer – File Explorer
PDF Reader – Viewer & Editor
Phone Cleaner: File Explorer
PDF Reader: File Manager

How to avoid installing malicious apps

Ideally, you’d never need to worry about download malicious apps so long as you stick to apps from Google’s Play Store. After all, Google has procedures in place to only sell apps it approves of in advance. However, bad actors are sneaky, and get their malicious apps on the market without alerting Google’s detection.

Since hacklers like to hide malware in apps that promise to boost the power and productivity of your Android device, it’s best to avoid these types of apps unless they come from a large name that many users trust. If it looks like a brand new developer releasing an app that can clear up space on your phone, or read and edit PDFs, it’s best to stay away.

You’ll also want to carefully evaluate an app’s page before hitting the download button. Make sure the copy is well written, free of spelling and grammar mistakes. Make sure the images are high-quality, and actually show off what the app is supposed to be. Finally, read through some reviews, and ensure none complain of the app causing issues with their phones.