A recent report by Zscaler ThreatLabz has uncovered that over 200 malicious applications on the Google Play Store have been downloaded nearly eight million times, posing a significant threat to users. Alarmingly, Nigeria ranks among the top ten countries targeted by these mobile malware attacks.
The report highlights that countries such as India, the US, Canada, South Africa, the Netherlands, Mexico, Brazil, Singapore, and the Philippines are also frequent targets. With mobile devices now the primary means of internet access—accounting for 96.5% of users—cyber threats on these platforms have escalated dramatically.
Based on data from 20 million blocked malicious transactions, Zscaler reported a 29% increase in banking malware incidents over the past year, while mobile spyware attacks surged by an astounding 111%. This rise in cyber threats is largely attributed to the lucrative nature of such attacks, with cybercriminals increasingly able to circumvent multi-factor authentication.
The report details common tactics used by attackers, including phishing schemes that utilize fake login pages for financial institutions and cryptocurrency wallets. QR codes have also become a popular vector for attacks, with the Android banking malware Anatsa reportedly exploiting these codes to target banking apps from over 650 financial institutions globally. Additionally, remote access trojans have been distributed through counterfeit sites for popular video conferencing tools like Skype, Zoom, and Google Meet, leading users to inadvertently download harmful APK files.
Zscaler noted that even applications from legitimate sources, including the Google Play Store, have been compromised. Following the identification of these threats, Google confirmed the removal of the malicious apps.
Among the identified malware, the Joker family was particularly prevalent, making up 38% of the harmful apps. Joker is a type of WAP fraud that surreptitiously subscribes users to premium services, incurring unexpected charges. Adware accounted for 35% of threats, while “Facestealers,” which aim to extract Facebook credentials, comprised 14%.
Cybercriminals often disguise malicious apps as seemingly useful tools, such as PDF readers and file managers, to trick users into downloading them. These apps can serve as loaders, deploying more sophisticated malware, including Anatsa (also known as TeaBot). Many are crafted to look legitimate, effectively deceiving users into unwittingly downloading second-stage payloads that further compromise their devices.
Despite a recent decline in overall Android malware activity—where the number of blocked transactions dropped to a third of last year’s figures by May 2024—Zscaler still recorded an average of 1.7 million Android malware blocks per month over the past year, indicating ongoing vulnerabilities in the mobile landscape.
