77 Malicious Android Apps Removed After 19M Downloads

Security researchers have uncovered a massive wave of malicious Android apps that were hiding in plain sight on the Google Play Store. In total, 77 apps containing different types of malware were downloaded more than 19 million times before being removed.

Malware Families Behind the Apps

The investigation, carried out by Zscaler ThreatLabs, revealed that many of these apps delivered well-known malware families including Joker, Harly, and Anatsa. While they often appeared to be normal apps such as file managers, photo editors, or utilities, in reality they were quietly stealing data or delivering harmful software in the background.

The Joker malware was among the most common, appearing in nearly a quarter of the malicious apps. Once installed, Joker can steal text messages, record phone calls, grab contacts, and even sign users up for expensive premium subscriptions without permission.

Its variant, Harly, goes a step further by hiding its malicious code deeper within legitimate-looking apps, making it harder to detect.

Fig 1. One of the fake apps on the Play Store. Source: Zscaler

Why Anatsa Is Especially Dangerous

Even more concerning is the Anatsa banking trojan, also known as Tea Bot. This malware targets sensitive financial information and can now steal credentials from over 800 banking and cryptocurrency apps worldwide. Recent versions have expanded their reach to new countries and added capabilities such as keylogging, which records everything typed on a device.

Researchers also warned about “maskware,” a category of apps that perform their advertised function but secretly carry out malicious actions. Because these apps often work as expected, users may not realize they are compromised until it’s too late.

Fig 2. The most exploited type of apps. Source: Zscaler

How Android Users Can Protect Themselves

While Google has removed all of the identified apps, the incident highlights that even official app stores are not immune to malicious uploads. For everyday users, this means extra caution is necessary when downloading apps.

To stay safe, experts recommend a few key steps:

• Ensure Google Play Protect is active on your device—this built-in system scans for harmful apps and can help block suspicious behavior.
• Always review apps before installing by checking download numbers, ratings, and user reviews. If reviews mention strange activity, avoid the app.
• Be wary of permission requests, especially if an app asks for access that doesn’t seem relevant to its function.

Cybercriminals continue to find new ways to sneak malware into trusted platforms. By staying cautious and paying attention to app details, Android users can greatly reduce the risk of falling victim to these hidden threats.