May was something of a confusing month for Android users. It started well, with a raft of exciting new updates, but by the end of the month everything seemed to have slipped backwards again, with Apple’s iPhone moving even further ahead.
First came that tidal wave of security update news from Google, much of which was presented at its I/O event. This included a first-of-its-kind mainstream warning for cellular intercept and IMSI grabbing, more advanced theft protection, and the introduction of a “private space” to safeguard sensitive information for when a user’s phone gets into the wrong hands—be that thieves or just the kids.
But the update that’s likely to make the most difference to most users is Google’s “live threat detection,” using AI to “analyze behavioral signals related to the use of sensitive permissions and interactions with other apps and services. If suspicious behavior is discovered, Google Play Protect can send the app to Google for additional review and then warn users or disable the app if malicious behavior is confirmed.”
Google is battling the perception that iPhone is a more secure, safer, more private ecosystem; and when it comes to the premium end of the market—and large swathes of the US market, it’s that iPhone halo that continues to really frustrate.
In reality, Google has been erecting ever higher fences around Play Store for years, and has slowly, subtly started to steer users away from the third-party stores that made Android so different to iPhone towards Play Store and its Protect shield.
Whether or not these new innovations could be the magic bullet for Android, and whether or not users could start to feel more secure, the darker side of Android was back again come the end of May, ensuring the month ended on a very different note.
“Over the past few months,” the team at Zscaler warned, “we identified and analyzed more than 90 malicious applications uploaded to the Google Play store. These malware-infected applications have collectively garnered over 5.5 million installs.”
While the team flagged various malware families as a threat to Play Store users—Joker, Adware, Facestealer and Coper, it was Anatsa that was the highlight of its report. “This sophisticated malware employs dropper applications that appear benign to users, deceiving them into unwittingly installing the malicious payload. Once installed, Anatsa exfiltrates sensitive banking credentials and financial information from global financial applications. It achieves this through the use of overlay and accessibility techniques, allowing it to intercept and collect data discreetly.”
I have already warned about Anatsa this year—the threat is not new. But the optics as regards Google and Play Store were badly timed given May’s Android security focus.
The Anatsa threat has remained broadly consistent, albeit Zscaler notes its US focus as well as UK/Europe, and that it is also now infecting users in Asia. Anatsa targets phones by way of a seemingly clean app, but one which is in fact a dropper that connects to an external server and pulls malware onto the device. “This strategic approach enables the malware to be uploaded to the official Google Play Store and evade detection.” The clean apps are the typical trivia that we all seem addicted to pulling onto our devices—PDF and QR code readers, for example.
Once installed, the Anatsa malware scans for target baking apps on the infected device, and then seeks to intercept login credentials and one-time SMS passcodes. Its approach includes an overlaid, ghost login page into which users an are tricked into entering their username and password.
Anatsa is now one of the prevalent malware families that continue to plague Android users, and report after report confirm the scale of the Android threat versus iPhone. “The recent campaigns conducted by threat actors deploying the Anatsa banking trojan highlight the risks faced by Android users, in multiple geographic regions, who downloaded these malicious applications from the Google Play store.”
In response to the Zscaler report, Google told Bleeping Computer that “all of the identified malicious apps have been removed from Google Play,” and that “Google Play Protect also protects users by automatically removing or disabling apps known to contain this malware on Android devices with Google Play Services.”
But the challenge for Google is that this perception seems exceptionally difficult to counteract anytime soon. Already this year we have seen multiple Android warnings, and while Google assures that once aware of a threat it’s included in Play Protect’s hit list, the risk is that malware is still finding its way onto Play Store at much great volumes than Apple’s App Store, and only later is it identified and mitigated.
In parallel with Android’s new security updates, we’ll see the on-device/off-device battle as Apple, Google and Samsung seek to reassure that the brave new world of AI isn’t a privacy nightmare in the making. And there again, the challenge for Google and Android and Samsung by association will be overcoming Apple’s security and privacy credentials, and it’s no nonsense commitment to a privacy-first approach.
And so all eyes on Android 15 and the difference if any that Google’s new mitigations might make to this threat landscape and the Android vs iPhone security perception.
It still looks like something of an impossible task…