In a disturbing discovery, over 90 malicious Android apps have been identified on Google Play, collectively downloaded more than 5.5 million times.
Among these, the Anatsa banking trojan has experienced a significant increase in activity, posing a serious threat to users worldwide.
Anatsa Banking Trojan: A Growing Threat
Anatsa, also known as "Teabot," is a sophisticated banking trojan targeting over 650 financial applications across Europe, the US, the UK, and Asia. This malicious software aims to steal e-banking credentials to facilitate fraudulent transactions.
Recently, Zscaler has observed Anatsa reappearing on Android's official app store, disguised as two seemingly benign applications: 'PDF Reader & File Manager' and 'QR Reader & File Manager.'
Three months ago, Threat Fabric reported a notable rise in Anatsa infections, with at least 150,000 devices compromised via Google Play through various decoy productivity apps.
Related Article: Your Android Smartphone Might Be Infected With Anatsa Banking Trojan- Uninstall These Apps NOW!
Anatsa's Deceptive Distribution Tactics
By the time Zscaler conducted its analysis, these two apps had already garnered 70,000 installations. This highlights the ongoing risk of malicious apps bypassing Google's review process.
Anatsa's evasion strategy involves a multi-stage payload loading mechanism with four distinct steps, according to Bleeping Computer.
- Initial Configuration Retrieval: The dropper app retrieves configuration data and essential strings from its Command and Control (C2) server.
- Malicious Code Activation: A DEX file containing the dropper code is downloaded and activated on the infected device.
- Payload Configuration Download: The configuration file with the Anatsa payload URL is downloaded.
- Malware Installation: The DEX file fetches and installs the malware payload (APK), completing the infection.
The DEX file also performs anti-analysis checks to avoid detection in sandbox or emulation environments.
Once active, Anatsa uploads the bot configuration and app scan results, then downloads specific injections tailored to the victim's location and profile.
Anatsa is Not the Only Threat on Google Play Apps
In addition to Anatsa, Zscaler has discovered over 90 other malicious applications on Google Play within the past few months. These apps, posing as tools, personalization apps, photography utilities, productivity software, and health & fitness apps, have amassed millions of downloads.
The five dominant malware families identified are Joker, Facestealer, Anatsa, Coper, and various adware. Although Anatsa and Coper represent only 3% of the total malicious downloads, they are particularly dangerous because they can conduct on-device fraud and steal sensitive information.
How to Stay Safe Against Anatsa-Infected Apps
To protect against these threats, users should exercise caution when installing new apps from Google Play. It's crucial to review the permissions requested by the app and decline those associated with high-risk activities, such as Accessibility Service, SMS, and contacts list access.
While Zscaler did not disclose the names of all 90+ malicious apps, the identified Anatsa dropper apps have since been removed from Google Play.