The 10 Best Raspberry Pi Apps, Programs, and Software to Install - MUO



joker malware apps :: Article Creator

90+ Malicious Apps Totaling 5.5M Downloads Lurk On Google Play

Source: Anatolii Babii via Alamy Stock Photo

More than 90 malicious mobile apps have been downloaded more than 5.5 million times from the Google Play store in the last few months. They spread various malware, including the Anatsa banking Trojan, researchers have found.

The apps, discovered by researchers at Zscaler over the past few months, act as decoys for the malware, and include a variety of PDF and QR code readers as well as file managers, editors, and translators, Zscaler revealed in a blog post published yesterday.

Anatsa (aka Teabot) is a sophisticated Trojan that first uses second-stage dropper applications that appear benign to users to deceive them into installing the payload. Once installed, it uses a range of evasive tactics to exfiltrate sensitive banking credentials and financial information from global financial applications.

"It achieves this through the use of overlay and accessibility techniques, allowing it to intercept and collect data discreetly," Zscaler's Himanshu Sharma and Gajanana Khond wrote in the post.

While Anatsa is one of the most "impactful" malwares currently being distributed on Google Play, others include the Joker fleeceware, the credential-stealing Facestealer, and various types of adware, according to Zscaler. They also have seen the Coper Trojan in the mix.

Further, Zscaler's analysis shows that the apps most commonly used to hide malware on the mobile app store are tools such as the ones behind which Anatsa lurks, followed y personalization and photography apps.

Evading Google Play Malware Detection

Attackers behind Anatsa — which can exfiltrate data from more than 650 financial apps — previously targeted mainly Android users in Europe; however, Zscaler reports the malware is "actively targeting" banking apps in the US and UK as well. Operators also appear to have expanded targets to financial institutions in more European countries — including Germany, Spain, and Finland — as well as South Korea and Singapore, the researchers noted.

Though Google has made a significant effort to block malicious apps from getting onto its mobile app store, Anatsa uses an attack vector that can slip past these protections, according to Zscaler. It does this through a dropper technique that makes it look as if the initial app is clean upon installation.

"However, once installed, the application proceeds to download malicious code or a staged payload from a command-and-control (C2) server, disguised as an innocuous application update," the researchers wrote. "This strategic approach enables the malware to be uploaded to the official Google Play Store and evade detection."

Anatsa in Attack Mode

Though the researchers identified a number of malicious apps, they specifically observed two malicious Anatsa payloads distributed via apps that impersonated PDF and QR-code reader applications. These types of apps often lure a large number of installations, which in turn "further aids in deceiving victims into believing that these applications are genuine," they noted.

Anatsa infects a device by using remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activity. Once installed, it launches a dropper application to download the next-stage payload.

 The Trojan uses other deceptive tactics in its attack vector that make it difficult for users or threat hunters to detect, the researchers noted. Before executing, it checks device environment and device type, most likely to detect sandboxes and analysis environments; it then only loads its third stage and final payload if the coast is clear.

Once loaded, Anatsa requests various permissions, including the SMS and accessibility options, and establishes communication with the C2 server to carry out various activities, such as registering the infected device and retrieving a list of targeted applications for code injections.

To steal user financial data, Anatsa downloads a target list of financial apps from the C2 and checks the device to see if they are installed. It communicates the info back to the C2, which then provides fake login pages for the installed apps to deceive users into providing their credentials, which are then sent back to the attacker-controlled server.

Remaining Vigilant Against Mobile Cyber Threats

Despite Google's best efforts, it's been impossible so far for the company to keep malicious Android apps off the Google Play store. As cybercriminals continue to evolve and craft malware with increasingly evasive tactics, "it becomes crucial for organizations to implement proactive security measures to safeguard their systems and sensitive financial information," the Zscaler researchers noted.

To help corporate mobile users avoid compromise, organizations should adopt a so-called "zero trust" architecture that focuses on user-centric security and ensures that all users "are authenticated and authorized before accessing any resources, regardless of their device or location," they advised.

Android users also can protect corporate networks by not downloading mobile applications when connected to an enterprise network, or using appropriate discernment and being alert to suspicious app activity even when downloading apps from trusted app stores.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.


Over 90 Malicious Android Apps With 5.5M Installs Found On Google Play

Android

Over 90 malicious Android apps were found installed over 5.5 million times through Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a recent surge in activity.

Anatsa (aka "Teabot") is a banking trojan that targets over 650 applications of financial institutions in Europe, the US, the UK, and Asia. It attempts to steal people's e-banking credentials to perform fraudulent transactions.

In February 2024, Threat Fabric reported that since late last year, Anatsa had achieved at least 150,000 infections via Google Play using various decoy apps in the productivity software category.

Today, Zscaler reports that Anatsa has returned to Android's official app store and is now distributed via two decoy applications: 'PDF Reader & File Manager' and 'QR Reader & File Manager.'

 

At the time of Zscaler's analysis, the two apps had already amassed 70,000 installations, demonstrating the high risk of malicious dropper apps slipping through the cracks in Google's review process.

One thing that helps Anatsa dropper apps evade detection is the multi-stage payload loading mechanism that involves four distinct steps:

  • Dropper app retrieves configuration and essential strings from the C2 server
  • DEX file containing malicious dropper code is downloaded and activated on the device
  • Configuration file with Anatsa payload URL is downloaded
  • DEX file fetches and installs the malware payload (APK), completing the infection
  • The DEX file also performs anti-analysis checks to ensure the malware won't be executed on sandboxes or emulating environments.

    Once Anatsa is up and running on the newly infected device, it uploads the bot configuration and app scan results and then downloads the injections that match the victim's location and profile.

    Zscaler reports that during the past couple of months, it has also discovered over 90 malicious applications on Google Play, which were collectively installed 5.5 million times.

    Most of the malicious apps impersonated tools, personalization apps, photography utilities, productivity, and health & fitness apps.

    The five malware families dominating the scene are Joker, Facestealer, Anatsa, Coper, and various adware.

    Though Anatsa and Coper only account for 3% of the total malicious downloads from Google Play, they are far more dangerous than the others, capable of performing on-device fraud and stealing sensitive information.

    When installing new apps on Google Play, review the requested permissions and decline those associated with high-risk activities such as Accessibility Service, SMS, and contacts list.

    The researchers did not disclose the names of the 90+ apps and whether they had been reported to Google for takedown.

    However, at the time of writing this, the two Anatsa dropper apps discovered by Zscaler have been removed from Google Play.

    Update 5/30 - A Google spokesperson told BleepingComputer that the developers behind the offending apps have been banned, and shared the following statement:

    All of the identified malicious apps have been removed from Google Play.

    Google Play Protect also protects users by automatically removing or disabling apps known to contain this malware on Android devices with Google Play Services.


    These 90 Android Apps Want To Make Your Life Miserable And Have Been Downloaded 5.5 Million Times

    When you download an app from an official marketplace like Google Play, you generally assume it is safe. However, more often than Google would like to admit, apps that look harmless but are dangerous have made it to the store. In the last few months alone, 90 malicious apps were found on Google Play. Criminals often think a step ahead of everyone else, which is how they succeed in convincing Google to let them host their apps on its store and make their products look useful enough to be downloaded by millions of people.

    No matter how smart cyber criminals are, there is always someone ready to catch them. This time around, Zscaler ThreatLabz emerged as a saviour. The company identified the 90 apps that were available on Google Play and were downloaded more than 5.5 million times.

    Many of the apps were dropper apps which are apps that look valuable to users and exist to install malware on their device. The harmful apps were found to be spreading different malware families, including Joker, Adware, Facestealer, Anatsa, and Coper.

    Though only 2 and 1 percent of the apps were found to be facilitating the installation of Antasa and Copper respectively, that's alarming enough, considering they are both very impactful trojans.

    Two apps associated with Antasa mentioned in the report are PDF Reader & File Manager and QR Reader & File Manager, which were downloaded over 70,000 times.

    The names of the other 88 apps have not been revealed, with the report only saying that 39 percent of them fell under the Tools category, 20 percent were personalisation apps, around 13 percent were related to Photography, and the rest belonged to the Productivity, Health & Fitness, Communication, Art & Design, and Entertainment categories.

    The researchers also found that the malicious apps targeted residents of the US, UK, Germany, Spain, Finland, South Korea, and Singapore.

    The report serves as another reminder that you can never be careful enough when downloading an app and even if you only install apps from the Google Play Store, you must take a zero-trust approach and check for things such as user reviews and the name of the publisher to ensure you are not downloading a malicious app.






    Comments

    Popular posts from this blog

    ZLUDA v2 Released For Drop-In CUDA On Intel Graphics - Phoronix

    Google chrome crashed and now laptop is running very slowly. Malware? - Virus, Trojan, Spyware, and Malware Removal Help - BleepingComputer

    SPECapc for Solidworks 2020 benchmark adds new GUI; CPU and 2D drafting tests - Graphic Speak