Android banking trojan infects 19M users — Major security warning

Breaking: An ongoing Android banking trojan campaign has bypassed Google’s defenses and reached alarming scale: researchers reported 77 malicious apps on the Play Store amassing over 19 million installs. At the center is the Anatsa banking trojan — also tracked as TeaBot malware — which now targets more than 830+ financial and crypto apps. Security teams note its ability to steal credentials and even take over devices, making it one of the most dangerous cases of Google Play malware to date.

What happened: 77 apps, 19 million installs

ThreatLabz research shows how cybercriminals smuggled “benign” utilities (file managers, QR tools, document readers) into Google Play, then activated hidden code through staged updates. Once triggered, the payload delivered the Anatsa banking trojan, enabling credential theft and session hijacking. Although Google removed the flagged apps after disclosure, the sheer install base highlights how quickly Google Play malware can spread before takedown.

For weeks, these apps collected positive ratings and reviews. Only later did operators push a configuration update that switched dormant code on, beginning active attacks. This combination of social proof, vague branding, and permissions creep explains why such threats can grow unnoticed.

How it slipped past review

The operators used a dropper technique: the storefront app appeared harmless during review, then later fetched a second-stage from command-and-control servers. According to ThreatLabz, the loaders switched from remote DEX tricks to directly unpacking payloads hidden inside corrupt APK archives. Runtime string decryption, emulator checks, and device filters added further evasion, keeping the Anatsa banking trojan dormant until ready. On-device, it exploited Accessibility Services to inject overlays, log keystrokes, and conceal activity — tactics long associated with TeaBot malware.

Anatsa banking trojan evolves: 831 targets

The malware now targets over 831 apps, including major banks and crypto wallets. It abuses Accessibility Services to auto-grant privileges, displays phishing overlays on legitimate apps, intercepts SMS for 2FA bypass, and executes remote commands. Researchers note the family’s expansion into new regions such as Germany and South Korea, underscoring its rapid iteration. This malware line is widely recognized as TeaBot malware, with both names used interchangeably.

Not just banking: Joker and Harly return

Analysts also uncovered Google Play malware tied to subscription fraud and adware. The infamous Joker malware resurfaced, silently enrolling users into paid services and exfiltrating contacts. Harly, a Joker variant, followed similar methods. This shows the campaign wasn’t limited to one trojan — it blended multiple threats to maximize profit.

Technical highlights

• Staged delivery: Innocent-looking apps later fetched the Anatsa banking trojan.
• Evasion: Corrupt headers, runtime decryption, and emulator checks hid the payload.
• Account takeover: Overlays and SMS interception enabled multi-factor bypass — classic TeaBot malware traits.
• Scale: Over 19 million installs across 77 packages prove how fast Google Play malware can spread.

When a victim opens a targeted banking app, the trojan checks for templates and overlays a phishing screen. Captured data is sent to its operators, who may automate fraudulent transfers.

Timeline and geography

Initial loaders appeared weeks before weaponization, allowing actors to build user bases. Infections clustered in Europe and Asia, with banks in Germany and South Korea added later. Even after takedowns, existing users remained at risk — a reminder that every mobile banking trojan campaign requires both platform action and user vigilance.

Signs of infection

• Unusual requests to re-enable Accessibility.
• Login screens that look identical but behave strangely.
• SMS messages arriving or marked as read without your action.
• Battery or network spikes when opening financial apps.

How to protect yourself

Steps to reduce exposure to Google Play malware and the broader Android malware ecosystem:

1. Remove unused utilities — loaders hide in such apps.
2. Scrutinize app reviews for unusual update behavior linked to TeaBot malware.
3. Be cautious of Accessibility requests from non-related apps — a red flag for Anatsa banking trojan.
4. Keep Play Protect enabled to detect and remove known threats.
5. Enable app-based 2FA and contact banks if login prompts appear suspicious.

Platform and industry response

Google removed the apps and updated Play Protect signatures, but delays allowed wide spread. Banks are deploying phishing detectors and anomaly scoring. Customers are advised to reset app credentials if exposed to suspicious login prompts. The broader message: official stores are necessary but not sufficient protection.

What security teams should do

Enterprises should treat this case as proof of conditional trust. Device management policies must block unknown publishers, enforce least-privilege permissions, and monitor Accessibility enablement. Threat intel feeds should ingest IoCs, and SOC playbooks must include fraud escalation paths. TeaBot malware infections show that password resets alone are insufficient if session tokens are compromised.

Context: Android’s cat-and-mouse era

Adversaries keep innovating. The current surge recalls earlier infiltration waves, with more localization and evasion built in. Defensive baselines against banking Trojans on Android must rise, or attackers will continue exploiting gaps.

Further reading on GeexForge

For broader security and tech coverage, visit our News archive or the Tech tag.

Bottom line

The case proves that even official stores cannot guarantee safety when staged delivery and anti-analysis are used. Reduce your app footprint, watch for odd re-login prompts, and stay updated. A sophisticated Android banking trojan ecosystem just reached 19 million installs. Stay alert and proactive.

Source: TechCrunch, The Verge, Android Authority