Since its first identification in 2020, Anatsa has evolved into a more sophisticated threat, now targeting over 831 financial institutions worldwide, including banks, fintech, and cryptocurrency platforms, with increased reach in countries like Germany and South Korea.

A significant wave of malicious Android apps, including over 77 apps with more than 19 million installs, has been removed from Google Play after being found to deliver multiple malware families such as Joker, Harly, and the banking trojan Anatsa, which disguise themselves as legitimate apps.

ThreatLabz reports an increase in adware and malware like Joker, Harly, and Anatsa on Google Play, especially in categories like tools, personalization, entertainment, photography, and design, which are considered high-risk.

The malicious apps employ advanced evasion techniques, including decrypting strings at runtime, performing emulation checks, verifying device models, and frequently changing package names and hashes to avoid detection.

Anatsa employs a dropper technique, disguising malicious payloads as benign updates or apps to evade detection and infect devices silently.

Anatsa exploits Android Accessibility permissions to gain extensive privileges, fetches phishing pages for over 831 apps including in Germany and South Korea, and has added a keylogger for data theft, with previous campaigns involving PDF readers and QR code scanners.

The latest Anatsa variant no longer relies on dynamic code loading but directly installs its payload, which speeds up infections and makes detection more difficult.

Users infected with Anatsa are advised to contact their banks immediately to secure their accounts and credentials.

Google has confirmed the removal of all identified malicious apps from the Play Store and emphasizes that Google Play Protect continues to offer protection, though users should manually delete any suspicious apps.

All malicious apps were removed after being reported by Zscaler, underscoring the need for users to keep Play Protect active and be cautious with app permissions.

In total, Google has removed millions of apps as part of a crackdown on malicious and trivial apps, highlighting the importance of trusting reputable publishers and reviewing app permissions.

The malware displays fake login pages for banking apps based on the apps present on the device, stealing user credentials for remote attacks.