Google is waging an endless war against threat actors who want to steal our data with malicious apps. At least once a month, the cybersecurity community appears to find a malware campaign threatening Android users. Late last month, researchers from cybersecurity company ThreatFabric found another cluster of dangerous Android malware apps on the Play store. These apps posed as PDF scanners, QR readers, and banking apps. They belong to four different malware families, were distributed over the course of four months, and were downloaded over 300,000 times.
Today’s Top Deals
New Android malware apps on the Play Store
As ThreatFabric notes, Google has made strides in keeping Android malware apps off of its app store. A few weeks ago, Google closed a loophole that allowed hackers to abuse accessibility tools to install apps without a user’s consent. But hackers never stop finding new ways to infiltrate the store.
Because Google works so hard to detect malware, the creators of these apps have to find new ways to skirt detection. As a result, the threat actors have been forced to reduce the footprint of dropper apps they create. Rather than upload a blatantly malicious app to Google Play, hackers will instead roll out “carefully planned small malicious code updates over a longer period.”
It’s a longer, more complicated process, but it’s far more successful in avoiding detection. When the researchers initially tested each of the apps on VirusTotal, they came back clean. Over the course of days, weeks, or months, an otherwise innocuous app could become dangerous.
How does the infiltration work?
According to ThreatFabric, the banking trojan Anatsa is to blame for a majority of the infections that its researchers uncovered. The team went into detail about how Anatsa infects smartphones:
The process of infection with Anatsa looks like this: upon the start of installation from Google Play, the user is forced to update the app in order to continue using the app. In this moment, Anatsa payload is…