Anatsa Banking Trojan: Google Play’s Latest Threat to Android Users in US and Europe

Malware & Threats: Anatsa Banking Trojan Delivered via Google Play Targets Android Users in US, Europe

Android users in at least five countries have been targeted with the Anatsa banking trojan via malicious droppers uploaded to Google Play, according to a report by threat detection firm ThreatFabric. These malicious applications, which have accumulated over 30,000 installs on the application store, posed as PDF or document reader applications and employed an infection chain that involved making a request to a GitHub page to fetch a URL that would download the final payload.

Repeated Infections and Backup Developer Accounts

The campaign began when the first dropper, posing as a PDF reader application, was discovered in March 2023. Google removed the malicious application shortly after being notified. However, a second dropper, also posing as a PDF reader and employing the same infection chain, emerged one month later. After this malicious application was removed, another dropper, also posing as a PDF reader, emerged within one month, with two others (both document readers) identified in May and June. Shockingly, ThreatFabric notes that the most recent dropper is still available for download on Google Play.

ThreatFabric’s analysis reveals that the actors behind the malware can have several apps published in the store at the same time under different developer accounts, with only one acting as malicious and the others serving as backups to be used after takedown.

Targeted Banks and Stolen Information

The Anatsa trojan targets banks in the US, UK, Germany, Austria, and Switzerland, but its target list includes over 600 mobile banking applications worldwide. Users were drawn to the malicious applications via advertisements that directed them to Google Play, creating a false sense of security. Using overlays, the trojan can steal sensitive information such as credentials, credit card data, and balance and payment information. Threat actors then use this information to initiate fraudulent transactions, often through device-takeover fraud (DTO).

ThreatFabric notes that the Anatsa trojan has been ongoing since 2020 and that the trojan iterations used in this campaign can target more than 90 new mobile banking applications from Finland, Germany, Singapore, Spain, and South Korea. Although the droppers are not currently distributed in all of these countries, it reveals the actors’ plans to target those regions in the future.

Editorial: Addressing the Ongoing Threat of Malware on App Stores

This discovery once again highlights the ongoing threat of malware on app stores, even in supposedly secure environments like Google Play. Despite efforts to implement security measures, malicious actors continue to find ways to trick users and bypass security controls.

One crucial aspect of combating this issue is for app store platforms like Google Play to improve their vetting and monitoring processes. While Google took swift action to remove the malicious applications from its platform, the fact that subsequent droppers were still able to bypass security measures and remain available for download is concerning. App stores must prioritize proactive identification and removal of malicious applications to ensure the safety of their users.

Additionally, users should remain vigilant and exercise caution when downloading applications. It is essential to review the app’s permissions, read user reviews, and consider the reputation and credibility of the developer before installation. Users should also consider using reputable mobile security solutions that can provide an additional layer of protection against malware.

Overall, the battle against malware on app stores requires a combination of efforts from app store platforms, security firms, developers, and users. By working together and staying informed on the evolving tactics of malicious actors, we can better protect ourselves and our digital ecosystems from these threats.