Google has removed a batch of products from its store. 77 malicious apps which, before being detected, totaled more than 19 million downloads at a global level. They were seemingly harmless utilities —document readers, file managers, or customization apps—that hid code with clearly malicious purposes.
The discovery was attributed to analysts at Zscaler ThreatLabz, whose warning led to the store being cleaned up. Although they're no longer available on Play, the danger doesn't magically disappear: If you still have one installed, keep it active. until you delete it manually.
What happened on Google Play
The investigation describes a broad campaign: more than 66% of the apps included adware to flood the mobile phone with intrusive ads, and almost a quarter hid the well-known Joker malware, an expert at sneaking in premium subscriptions without permission. He was also detected maskware, legitimate-looking apps that were stealing credentials in the background.
One of the most repeated baits was Document Reader – File Manager, which worked like hook to download the malicious payload After the installation, the operators refined their techniques: hidden modules served as temporary JSON files to activate the malware on the device and then delete traces.
The main focus was on Anatsa (TeaBot), a banking Trojan that has been evolving rapidly. Its latest wave expands its scope and is now targeting More than 831 banking and cryptocurrency apps, using overlays that mimic legitimate screens, keystroke logging and credential theft.
For its part, Joker and its variant Harry They're back in the spotlight: they intercept text messages, make calls, access contacts, and can sign up victims for paid services without consent. All of this is disguised as useful apps to gain trust and rack up installations at high speed.
Anatsa and the rest of the families: techniques and scope
In this wave, the actors behind Anatsa have introduced changes to circumvent automatic controls: from downloading components in Ephemeral JSON which then disappear, until used Malformed APKs and Dynamic Encryption to keep the code hidden until the last moment.
The Trojan also integrates detection of emulators and test environments, so it avoids running the load on analysis systems. When it does get in, it abuses the accessibility permissions to grant themselves privileges, overlay credible phishing screens, and take control of sensitive actions.
A familiar pattern is repeating itself: apps with real functionality that inspire confidence, millions of downloads, and then a withdrawal when the scam is discovered. The damage, however, may have been done, with access to bank accounts and fraud affecting users in multiple countries.
Google's response and how to protect yourself
Google confirms that it has removed all the apps in question and that Play Protect blocks known variants. However, there is one key point: If the app is still installed, it will not be disabled automatically.It's a good idea to review recently added apps—especially PDF readers, file managers, and customization utilities—and uninstall any suspicious ones.
In addition to the cleanup, the company is pushing for additional measures to raise the bar for malicious actors, such as require verified developer accounts linked to installations on certified Android devices. The goal is to make life difficult for those who upload malicious software under false identities, a front that complements Play's controls.
If you suspect an infection, act without delay: If you suspect infection: uninstall the app, change critical passwords (especially banking and email), activate two-step verification and consult with your financial institution in case it is necessary to block operations or revoke access.
-
Keep Google Play Protect activated and updated.
-
Install only from well-known developers and with good ratings.
-
Review and limit the permissions requested, especially accessibility.
The episode leaves a clear lesson: even with strengthened controls, Malicious apps can reach Google Play If they camouflage themselves well. The combination of vigilance on the part of the store and caution on the part of the user—installing wisely, checking permissions, and uninstalling in time—is currently the most effective way to reduce the risk on mobile.
