FacebookTwitterLinkedIn

Over 200 Malicious Apps Were Downloaded Nearly 8 Million Times From Google Play

Karolis Liucveikis Written by on

In a recent report by ZScaler, data collected from June 2023 to April 2024 showed that Google Play, the official store for Android, distributed more than 200 malicious applications, which amounted to nearly eight million downloads. The collected data focused on analyzing malware families on both Google Play and other distribution platforms.

Over 200 Malicious Apps Were Downloaded Nearly 8 Million Times From Google Play

According to ZScaler, the most common malware threats encountered were as follows:

  • Joker: Info-stealer and SMS message grabber subscribing victims to premium services accounted for 38.2% of all analyzed threats.
  • Adware: Apps that consume internet bandwidth and battery to load either intrusive foreground ads or invisible ads in the background, generating fraudulent ad impressions, accounted for 35.9% of all analyzed threats.
  • Facestealer: Facebook account credential stealers that overlay phishing forms on top of legitimate social media applications accounted for 14.7% of all analyzed threats.
  • Coper: Info-stealer and SMS message interceptor that can also perform key logging and overlay phishing pages accounted for 3.7% of all analyzed threats.
  • Loanly Installer: A relatively new malware strain with little public analysis, accounted for 2.3% of all analyzed threats.
  • Harly: Trojan apps that subscribe victims to premium services accounted for 1.4% of all analyzed threats.
  • Anatsa (Teabot): A banking trojan that targets over 650 bank applications worldwide. It accounted for 0.9% of all analyzed threats.

Nearly half of the malicious apps that Zscaler ThreatLabz discovered were published on Google Play under tools, personalization, photography, productivity, and lifestyle categories.

The report also showed an overall decline during the period analyzed in terms of malware block attempts, measured by blocked transactions. On average, ZScaler recorded 1.7 million blocks per month, with 20 million blocks recorded throughout the analysis period.

Further, there was a significant increase in spyware activity. The most targeted countries by mobile malware in the past year were India and the United States, followed by Canada, South Africa, and the Netherlands.

Regarding which economic sector was targeted the most, the education sector, where blocked transactions increased by 136.8% over the recorded period. The services sector recorded a 40.9% increase, and chemicals and mining had a 24% increase. All other sectors showed a general decline.

Google, in response to Bleeping Computer's queries regarding ZScaler's report, the tech giant said,

The malicious versions of these apps identified are no longer on Play. Android users are automatically protected against known versions of malware mentioned in this report by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.

Not Isolated Incidents

Given the numbers and stats in ZScaler's report, it would be impossible to argue that these are isolated incidents. This becomes an even more impossible task when one considers recent Android malware incidents.

In May 2024, reports began to emerge of increased Anatsa activity, facilitated via downloads through Google Play. It was found that over 90 malicious apps were distributing the banking trojan, with those apps being downloaded over 5.5 million times.

In a report detailing this increase in activity, researchers stated,

The recent campaigns conducted by threat actors deploying the Anatsa banking trojan highlight the risks faced by Android users, in multiple geographic regions, who downloaded these malicious applications from the Google Play Store. As the mobile threat landscape continues to evolve, it becomes crucial for organizations to implement proactive security measures to safeguard their systems and sensitive financial information. To enhance the security of your network, we recommend implementing Zscaler's zero trust architecture. This approach focuses on user-centric security and ensures that users are authenticated and authorized before accessing any resources, regardless of their device or location.

In September 2024, security researchers discovered that the Necro Trojan had been downloaded approximately 11 million times in a Google Play Store supply chain attack.

Researchers found that a new trojan version was installed through malicious advertising software development kits (SDK) used by legitimate apps, Android game mods, and modified versions of popular software, such as Spotify, WhatsApp, and Minecraft.

To make matters worse, Necro, once installed on an Android device, delivers several other payloads, including:

  • Adware that loads links through invisible Web View windows (Island plugin, Cube SDK)
  • Modules that download and execute arbitrary JavaScript and DEX files (Happy SDK, Jar SDK)
  • Tools specifically designed to facilitate subscription fraud (Web plugin, Happy SDK, Tap plugin)
  • Mechanisms that use infected devices as proxies to route malicious traffic (NProxy plugin)

To reduce the chances of getting infected by malware from Google Play, users are advised to read reviews from others to see what problems have been reported and check the application publisher. Users should also check the permissions requested at installation time and abort the process if the app requires permissions that do not fit its activity.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog