CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

77 Malicious Android Apps Removed from Google Play with 19M Installs

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Google removed 77 malicious Android apps from the Play Store, which had been installed over 19 million times. These apps delivered various malware families, including Anatsa (Tea Bot) banking trojan, Joker, Harly, and maskware. The apps primarily targeted users with adware, but also included sophisticated malware capable of stealing sensitive information and subscribing users to premium services. The discovery was made by Zscaler's ThreatLabs team, which identified a significant increase in adware and banking trojans, while noting a decline in other malware families. The malicious apps often disguised themselves as legitimate tools and personalization apps, exploiting Accessibility permissions to gain extensive privileges.

Timeline

  1. 25.08.2025 19:37 πŸ“° 1 articles Β· ⏱ 22d ago

    77 Malicious Android Apps with 19M Installs Removed from Google Play

    Google removed 77 malicious Android apps from the Play Store, which had been installed over 19 million times. These apps delivered various malware families, including Anatsa (Tea Bot) banking trojan, Joker, Harly, and maskware. The apps primarily targeted users with adware but also included sophisticated malware capable of stealing sensitive information and subscribing users to premium services. The discovery was made by Zscaler's ThreatLabs team, which identified a significant increase in adware and banking trojans, while noting a decline in other malware families. The malicious apps often disguised themselves as legitimate tools and personalization apps, exploiting Accessibility permissions to gain extensive privileges.

    Show sources
    Open in new tab

Information Snippets

  • The malicious apps were discovered by Zscaler's ThreatLabs team during an investigation into a new infection wave involving the Anatsa banking trojan.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • Over 66% of the malicious apps included adware components, with Joker malware found in nearly 25% of the analyzed apps.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • Joker malware can read and send text messages, take screenshots, make phone calls, and steal contact lists and device information.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • Maskware apps disguise themselves as legitimate applications but perform malicious activities in the background, such as stealing credentials and banking information.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • A variant of Joker malware, Harly, hides its malicious payload deeper in the code to evade detection during the review process.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • The latest version of the Anatsa banking trojan targets 831 banking and cryptocurrency apps, up from 650 previously.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • Anatsa uses a decoy app named 'Document Reader – File Manager' to evade Google's code review and installs its malicious payload post-installation.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • Anatsa employs various evasion techniques, including malformed APK archives, runtime DES-based string decryption, and emulation detection.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • Anatsa abuses Accessibility permissions to auto-grant itself extensive privileges and fetches phishing pages for over 831 apps, including those in Germany and South Korea.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • The malicious apps were primarily disguised as tools and personalization apps, with tools and personalization apps accounting for over half of the lures used.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

  • Google removed all the malicious apps from the Play Store following Zscaler's report.

    First reported: 25.08.2025 19:37
    πŸ“° 1 source, 1 article
    Show sources

Similar Happenings

SlopAds Fraud Ring Exploits 224 Android Apps to Drive 2.3 Billion Daily Ad Bids

A fraudulent ad operation, SlopAds, has been identified, exploiting 224 Android apps to generate 2.3 billion ad bids daily. The apps, collectively downloaded 38 million times across 228 countries, use steganography and hidden WebViews to create fraudulent ad impressions and clicks. The operation was disrupted after Google removed the offending apps from the Play Store. The SlopAds campaign is notable for its sophisticated tactics, including conditional fraud execution and the use of AI-themed services for command and control. The fraudulent behavior is triggered only when apps are downloaded via ad clicks, making detection more challenging. The campaign's infrastructure includes multiple domains and a complex feedback loop designed to evade security researchers. The campaign's highest concentration of ad impressions originated from the United States (30%), followed by India (10%) and Brazil (7%).

Open in new tab

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Open in new tab

Fourth Spyware Campaign Targeting French Apple Users in 2025

Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.

Open in new tab

Increased browser targeting by threat actors

Threat actors are increasingly targeting web browsers as a primary attack vector. This shift is driven by the browser's central role in accessing sensitive data and cloud applications, making it an attractive target for credential theft and session hijacking. High-profile incidents, such as the Snowflake breach, underscore the need for enhanced browser security measures. The browser's role in accessing sensitive data and cloud applications makes it a prime target for attackers. The Snowflake breach, which exploited stolen credentials, highlights the risks associated with browser-based attacks. Experts emphasize the need for stronger browser security to mitigate these threats. Browser-based attacks include phishing for credentials and sessions, malicious copy & paste (ClickFix), malicious OAuth integrations, malicious browser extensions, malicious file delivery, and exploiting stolen credentials and MFA gaps. These attacks exploit the browser's role in accessing business applications and data, making it crucial for security teams to focus on browser security.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Open in new tab