Over 200 malicious apps on Google Play have been downloaded millions of times

Google Play, the official store for Android, distributed more than 200 malicious applications over a period of one year, with a cumulative total of almost eight million downloads.

The data was collected between June 2023 and April 2024 by threat intelligence researchers at Zscaler, who identified and analyzed malware families on both Google Play and other distribution platforms.

The most common threats researchers discovered in the official Android app store include:

• Joker (38.2%): Info stealer and SMS grabber that subscribes victims to premium services
• Adware (35.9%): Apps that consume internet bandwidth and battery to load either intrusive ads in the foreground or invisible ads in the background, generating fraudulent ad impressions
• Facestealers (14.7%): Facebook account credential stealers who overlay phishing forms on top of legitimate social media applications
• Copper (3.7%): Info stealer and SMS message interceptor that can also perform keylogging and overlay phishing pages
• Hire installer (2.3%)
• Harry (1.4%): Trojan apps that make victims subscribe to premium services
• Anatsa (0.9%): Anatsa (or Teabot) is a banking Trojan that targets over 650 applications from banks worldwide

In early May of this year, the same researchers warned of more than 90 malicious apps on Google Play with a download count of 5.5 million.

Although Google has security mechanisms in place to detect malicious applications, threat actors still have some tricks to bypass the verification process. In a report last year, the Google Cloud security team described “versioning,” a method that distributes malware via application updates or by loading servers controlled by the attacker.

Regardless of the method used to distribute malware through Google Play, some campaigns are more successful than others. While Zscaler’s report focused on more common Android malware, other researchers discovered campaigns that also used Google Play to distribute malware to millions of people.

In one case, the Necro malware loader for Android was downloaded 11 million times via just two apps published in the official store.

In another case, the Goldoson Android malware was discovered in 60 legitimate apps that had a total of 100 million downloads.

Last year, SpyLoan was found in apps on Google Play that were downloaded more than 12 million times.

Nearly half of the malicious apps discovered by Zscaler ThreatLabz were published on Google Play in the Tools, Personalization, Photography, Productivity, and Lifestyle categories.

Regarding attempted malware blocks this year, Zscaler reports that the overall trend, as measured by blocked transactions, is declining.

On average, ThreatLabz recorded 1.7 million blocks per month, with 20 million blocks recorded over the entire analysis period. The most common threats were Vultur, Hydra, Ermac, Anatsa, Coper and Nexus.

Zscaler’s mobile threat report also shows a significant increase in spyware infections, primarily caused by the SpyLoan, SpinOK and SpyNote families. Last year the company registered 232,000 blocks of spyware activity.

The countries most frequently attacked by mobile malware last year were India and the United States, followed by Canada, South Africa and the Netherlands.

According to the report, mobile malware primarily targeted the education sector, where the number of blocked transactions increased by 136.8%. The services sector recorded an increase of 40.9% and the chemicals and mining sector increased by 24%. All other sectors recorded an overall decline.

To minimize the risk of infection with Google Play malware, users are advised to read reviews from others to see what issues have been reported and check with the application publisher.

Users should also review the permissions requested during installation and abort the process if the app requires permissions that do not match their activity.