Jump to content
  • Anatsa Android malware downloaded 150,000 times via Google Play

    alf9872000

    • 326 views
    • 5 minutes
     Share


    • 326 views
    • 5 minutes

    The Anatsa banking trojan has been targeting users in Europe by infecting Android devices through malware droppers hosted on Google Play.

     

    Over the past four months, security researchers noticed five campaigns tailored to deliver the malware to users in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic.

     

    Researchers at fraud detection company ThreatFabric noticed an increase of Anatsa activity since November, with at least 150,000 infections.

     

    Each attack wave focuses on specific geographic regions and employs dropper apps crafted to reach the “Top New Free” categories on Google Play, lending them credibility and increasing the success rate.

     

    ThreatFabric's report notes that the dropper apps now implement a multi-staged infection process and have evolved to abuse Android’s Accessibility Service to bypass security measures present in versions of the mobile operating system up to Android 13.

     

    Last summer, ThreatFabric warned of another Europe-focused Anatsa campaign that also used dropper apps hosted on Google Play, primarily fake PDF viewer apps.

    Anatsa dropper apps

    In the latest Anatsa campaign, the malware operators uses both PDF and fake cleaner apps that promise to free up space on the device by deleting unnecessary files.

     

    One example that ThreatFabric's researchers highlights is an app named ‘Phone Cleaner – File Explorer’, which was counted over 10,000 downloads.

     

    cleaner-app.png
    Anatsa dropper app (Threat Fabric)
     

    ThreatFabric told BleepingComputer that one Anatsa campaign also used another app called 'PDF Reader: File Manager', which recorded more than 100,000 downloads.

     

    At the time of writing, Google removed all Anatsa dropper apps from the official Android store except for the PDF Reader, which continues to be available.

     

    pdf-reader.png
    Malicious PDF reader app (BleepingComputer)
     

    ThreatFabric researchers told us that the 150,000 download count for Anatsa droppers on Google Play is a conservative one and the real figure would be closer to 200,000 because they used the lower estimates for the tally.

     

    The five malicious apps are:

    1. Phone Cleaner - File Explorer (com.volabs.androidcleaner)
    2. PDF Viewer - File Explorer (com.xolab.fileexplorer)
    3. PDF Reader - Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
    4. Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
    5. PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)

     

    Considering that Anatsa constantly launches new attack waves using fresh dropper apps, the total number of downloads is expected to further increase.  Already, it has surpassed the 130,000 that Anatsa achieved in the first half of 2023.

    Technical details

    Technical insights from ThreatFabric’s report reveal that the dropper apps use a multi-staged approach to avoid detection, dynamically downloading malicious components from a command and control (C2) server.

     

    code-update.png
    Malicious code update (Threat Fabric)
     

    A notable strategy involves the misuse of AccessibilityService, historically a vector for malware to automate payload installation without user interaction.

     

    Malware abusing this powerful Android service created to aid users with disabilities occurs frequently, despite Google’s recent policy updates that introduced  restrictions to fight the misuse.

     

    Anatsa droppers' permission to access to the Accessibility Service was disguised by the need to “hibernate battery-draining apps,” which appears as a legitimate feature in the context of a cleaner app.

     

    Threat Fabric found in one case that the malicious code update was introduced a week after the dropper app was uploaded on Google Play and added user interface navigation parameters that match those of Samsung devices (One UI).

     

    code.png
    Samsung-specific actions (Threat Fabric)
     

    Other droppers used in the same campaign do not contain vendor-specific code, thus targeting a broader selection of Android devices.

     

    The malicious code update is downloaded from the C2 in four distinct steps, likely a tactic to evade detection and flagging by Google’s code review mechanisms.

     

    • Configuration Retrieval: Downloads configuration from the C2 server containing essential strings for the malicious code, avoiding immediate detection by hiding suspicious indicators.
    • DEX File Download: Retrieves a DEX file with the malicious code responsible for payload installation, activated by the previously downloaded strings.
    • Payload URL Configuration: Downloads a configuration file with the URL for the payload, allowing attackers to update the payload link as needed.
    • Payload Installation: Uses the DEX file to download, install, and launch the Anatsa malware, completing the infection process.

     

    payload-fetch.png

    Payload fetching process (Threat Fabric)

     

    The spread of the Anatsa campaign is significant and comes with the risk of financial fraud. Android users are recommended to carefully review user ratings and publisher history before installing an app.

     

    A good way to stay protected is to avoid performance-enhancing, productivity, and secure messaging apps that don’t come from vendors with an established reputation.

     

    When installing new apps, it is strongly recommended to check the list of requested permissions and deny those unrelated to the purpose of the app (e.g. a photo editing app does not need access to the microphone).

     

    When installing new apps, carefully scrutinize the requested permissions, particularly those related to the Accessibility Service, which should be seen as a red flag for potential malware threats.

     

    Update 2/19 - A Google spokesperson has sent BleepingComputer the following comment:

    All of the apps identified in the report have been removed from Google Play.

    Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

    Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...