According to BGR , these malicious apps originated from a malware called Anatsa (also known as TeaBot), a particularly dangerous banking malware that appears harmless when first installed but then downloads malicious code or command-and-control (C2) servers disguised as app updates. This allows the malware to avoid detection on the Android app store.

In other words, the apps are not malicious at first. They trick people into believing they are safe before they proceed to download malicious content disguised as a legitimate app update. Once the malware successfully infects a device and begins communicating with the C2 server, it scans the user’s device for any banking apps installed.

If it finds any information, it sends it to the C2 server, which then sends back a fake login page for the detected apps. If a user falls for this trick and enters their login credentials, that information is sent back to the server, which the hacker can then use to log into the victim’s banking app and steal their money.

The two apps that Zscaler found infected with Anatsa were PDF Reader & File Manager and QR Reader & File Manager. Researchers say that Anatsa primarily targets apps from financial institutions in the UK, with victims also found in the US, Germany, Spain, Finland, South Korea, and Singapore. Still, experts advise users to be aware of the dangers no matter where they live.

While the researchers did not share the identities of the infected Android apps on the Google Play store, both of the apps shared in the above example are no longer available. Perhaps Zscaler alerted Google to other apps.