Overview
BleepingComputer reported on 25 August 2025 that Google removed 77 malicious Android apps from the Play Store after researchers at Zscaler’s ThreatLabs discovered they were delivering multiple malware families. Together, these apps had been downloaded over 19 million times. Most of the apps contained adware, but many hosted more dangerous malware—including Joker, Harly and Anatsa.
Malware families involved
- Joker: Found in almost 25 % of the malicious apps, Joker can read and send text messages, take screenshots, make phone calls, steal contact lists and subscribe users to premium services. Joker variants often hide inside seemingly innocuous tools such as call blockers or wallpaper apps.
- Harly: A variant of Joker uncovered by Zscaler, Harly disguises itself as a legitimate app and hides its malicious payload deep in the code to evade inspection. Human Security researchers have shown that Harly can lurk in games, wallpaper apps, flashlights and photo editors.
- Maskware: These apps act as decoys, performing the advertised function while secretly stealing credentials, banking information or other sensitive data. Maskware may also install additional malware.
- Anatsa (Tea Bot) banking trojan: The initial investigation targeted Anatsa, a sophisticated banking trojan that uses a Document Reader – File Manager app as a decoy. The latest version of Anatsa targets 831 banking and cryptocurrency apps, up from 650 previously, and employs obfuscation techniques such as malformed APK files, DES‑based string decryption and emulation detection.
Campaign details
- The 77 apps were downloaded 19 million times, demonstrating how widespread the infection was.
- Zscaler observed a shift in Anatsa’s infection chain: the malware now installs its payload directly from JSON files rather than using remote DEX loading.
- The campaign also saw a rise in adware applications and a decline in malware families like Facestealer and Coper, indicating shifting tactics.
How to stay safe
- Enable Play Protect: Keep Google Play Protect enabled to scan for malware and remove suspicious apps.
- Install apps cautiously: Only download apps from reputable publishers, read user reviews and avoid granting unnecessary permissions.
- Remove suspicious apps: If you installed ‘Document Reader – File Manager’ or other apps mentioned in malware reports, uninstall them and run a full device scan.
- Monitor bank accounts: Victims of Anatsa infections should contact their bOverview
- BleepingComputer reported on 25 August 2025 that Google removed 77 malicious Android apps from the Play Store after researchers at Zscaler’s ThreatLabs discovered they were delivering multiple malware families. Together, these apps had been downloaded over 19 million times. Most of the apps contained adware, but many hosted more dangerous malware—including Joker, Harly and Anatsa.
- Malware families involved
- Joker: Found in almost 25 % of the malicious apps, Joker can read and send text messages, take screenshots, make phone calls, steal contact lists and subscribe users to premium services. Joker variants often hide inside seemingly innocuous tools such as call blockers or wallpaper apps.
- Harly: A variant of Joker uncovered by Zscaler, Harly disguises itself as a legitimate app and hides its malicious payload deep in the code to evade inspection. Human Security researchers have shown that Harly can lurk in games, wallpaper apps, flashlights and photo editors.
- Maskware: These apps act as decoys, performing the advertised function while secretly stealing credentials, banking information or other sensitive data. Maskware may also install additional malware.
- Anatsa (Tea Bot) banking trojan: The initial investigation targeted Anatsa, a sophisticated banking trojan that uses a Document Reader – File Manager app as a decoy. The latest version of Anatsa targets 831 banking and cryptocurrency apps, up from 650 previously, and employs obfuscation techniques such as malformed APK files, DES‑based string decryption and emulation detection.
- Campaign details
- The 77 apps were downloaded 19 million times, demonstrating how widespread the infection was.
- Zscaler observed a shift in Anatsa’s infection chain: the malware now installs its payload directly from JSON files rather than using remote DEX loading.
- The campaign also saw a rise in adware applications and a decline in malware families like Facestealer and Coper, indicating shifting tactics.
- How to stay safe
- Enable Play Protect: Keep Google Play Protect enabled to scan for malware and remove suspicious apps.
- Install apps cautiously: Only download apps from reputable publishers, read user reviews and avoid granting unnecessary permissions.
- Remove suspicious apps: If you installed ‘Document Reader – File Manager’ or other apps mentioned in malware reports, uninstall them and run a full device scan.
- Monitor bank accounts: Victims of Anatsa infections should contact their bank to report potential compromise and reset credentials.
- Conclusion
- The discovery of 77 malicious apps with more than 19 million downloads illustrates the persistent risk of malware on official app stores. Joker, Harly and Anatsa show how attackers continually adapt their techniques and packaging. Vigilant app hygiene, timely updates and the use of security features like Play Protect are essential defenses against mobile malware.ank to report potential compromise and reset credentials.
Conclusion
The discovery of 77 malicious apps with more than 19 million downloads illustrates the persistent risk of malware on official app stores. Joker, Harly and Anatsa show how attackers continually adapt their techniques and packaging. Vigilant app hygiene, timely updates and the use of security features like Play Protect are essential defenses against mobile malware.
redsec.ninja 
Leave a comment