Anatsa Android malware downloaded 150,000 times via Google Play

The Anatsa banking Trojan targets users in Europe by infecting Android devices via a malware dropper hosted on Google Play.

Over the past four months, security researchers have noticed five campaigns aimed at delivering malware to users in the United Kingdom, Germany, Spain, Slovakia, Slovenia, and the Czech Republic.

Researchers at fraud detection firm ThreatFabric have noticed an increase in Anatsa activity since November, with at least 150,000 infections occurring.

Each wave of attacks is focused on a specific geographic region, with dropper apps created to reach Google Play’s “Top New Free” category, giving the app credibility and increasing its success rate. Increase.

According to a report by ThreatFabric, dropper apps currently implement a multi-step infection process that exploits Android’s accessibility services to bypass security measures present in mobile operating system versions up to Android 13. It is said that it has evolved into

Last summer, ThreatFabric warned about another European-focused Anatsa campaign using dropper apps hosted on Google Play, primarily fake PDF viewer apps.

Anatsa dropper app

In the latest Anatsa campaign, malware operators use both PDF apps and fake cleaner apps that promise to remove unnecessary files and free up space on your device.

One example that ThreatFabric researchers are looking at is an app called “Phone Cleaner – File Explorer” that has over 10,000 downloads.

ThreatFabric told BleepingComputer that one Anatsa campaign also used another app called “PDF Reader: File Manager,” which racked up more than 100,000 downloads.

As of this writing, Google has removed all Anatsa dropper apps from the official Android store except for PDF Reader, which is still available.

ThreatFabric researchers said the 150,000 downloads of the Anatsa dropper on Google Play is a conservative number, and the actual number is likely closer to 200,000, as they used lower estimates for their tally. .

The five malicious apps are:

1. Phone Cleaner – File Explorer (com.volabs.androidcleaner)
2. PDF Viewer – File Explorer (com.xolab.fileexplorer)
3. PDF reader – viewer and editor (com.jumbodub.fileexplorerpdfviewer)
4. Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
5. PDF reader: file manager (com.tragisoap.file and pdfmanager)

Given that Anatsa is constantly launching new waves of attacks with new dropper apps, we expect the total number of downloads to increase further. This has already surpassed the 130,000 mark achieved by Anatsa in the first half of 2023.

technical details

Technical insights from ThreatFabric’s report show that dropper apps use a multi-step approach to evade detection, dynamically downloading malicious components from command and control (C2) servers. It became clear.

Notable strategies include exploiting AccessibilityService, a malware vector that historically automates the installation of payloads without user interaction.

Malware exploiting this powerful Android service created to help users with disabilities continues to occur despite Google’s recent policy updates that introduced restrictions to combat the exploits. .

The Anatsa dropper’s permission to access accessibility services was masked by the need to “hibernate battery-draining apps.” This seems like a legitimate feature from a cleaner app perspective.

Threat Fabric reported that in one case, a malicious code update was introduced a week after the dropper app was uploaded to Google Play, with user interface navigation parameters matching those of Samsung devices (One UI). I discovered that it has been added.

Other droppers used in the same campaign do not include vendor-specific code and therefore target a wider range of Android devices.

Malicious code updates are downloaded from the C2 in four different steps. This may be a tactic to avoid detection and flagging by Google’s code review mechanisms.

• Get configuration: Downloads a configuration from a C2 server that contains strings required for malicious code and evades immediate detection by hiding suspicious indicators.
• DEX file download: Gets a DEX file containing malicious code activated by a previously downloaded string and responsible for installing the payload.
• Configuring the payload URL: Downloads a configuration file containing the payload URL, allowing the attacker to update the payload link if necessary.
• Payload installation: DEX files are used to download, install, and launch the Anatsa malware to complete the infection process.

Anatsa campaigns are widespread and carry the risk of financial fraud. Android users are advised to carefully check user ratings and publisher history before installing an app.

A good way to stay protected is to avoid performance-enhancing, productivity-enhancing, and secure messaging apps that aren’t from reputable vendors.

When installing a new app, we strongly recommend checking the list of requested permissions and denying any permissions that are unrelated to the app’s purpose (for example, a photo editing app does not need to access your microphone). ).

When installing a new app, carefully examine the requested permissions, especially those related to accessibility services. This should be considered a red flag for a potential malware threat.