Zscaler exposes 77 malicious Android apps on Google Play with 19M installs, led by Anatsa and Joker, abusing Accessibility to steal banking data and passwords.
© RusPhotoBank
Researchers at Zscaler ThreatLabs have reported a sweeping attack on Android users: 77 malicious apps were uncovered and removed from Google Play, together racking up more than 19 million installs. The headline threat is the Anatsa banking trojan, also known as Tea Bot, alongside several other strains of malware.
More than 66% of the tainted apps were pushing aggressive adware, but the Joker trojan appeared most frequently, showing up in nearly a quarter of the reviewed titles. Joker can read and send text messages, capture screenshots, copy contacts, place calls, and enroll victims in paid subscriptions. Investigators also flagged so‑called maskware—apps that seem to work as advertised while quietly siphoning credentials and banking details.
One Joker offshoot, dubbed Harly, is particularly troublesome. Unlike the original, it hides its malicious code inside the APK in encrypted form, helping it slip past Google Play’s checks. Masquerading as games, wallpaper packs, and photo editors, Harly has repeatedly found its way into the store and reached thousands of users.
Anatsa’s latest build has grown more aggressive as well, now targeting more than 830 banking and cryptocurrency apps. The infection path runs through a fake Document Reader — File Manager that, once installed, downloads a malicious module. The trojan relies on encryption, package swapping, and keylogger components, and it actively abuses the Accessibility service to grab elevated privileges.
Experts point to a rise in this kind of activity and urge users to be especially cautious when installing apps from Google Play. Given the scale and persistence of these campaigns, leaning solely on marketplace screening seems optimistic; a moment’s scrutiny before tapping Install can make all the difference.