The Anatsa banking trojan has made a stealthy reappearance on Google Play, disguised as a PDF viewer app that has already garnered over 50,000 downloads. This malware activates immediately upon installation, targeting users of North American banking applications. Once the app is launched, it presents an overlay that facilitates unauthorized access to banking accounts, keylogging, and even automating transactions.
Malicious Tactics Unveiled
According to researchers at Threat Fabric, who uncovered this latest campaign and promptly alerted Google, Anatsa employs a deceptive tactic. When users open their banking apps, they are greeted with a fabricated notification claiming that the banking system is undergoing maintenance. This message overlays the legitimate app interface, effectively masking the malware’s activities and hindering victims from contacting their banks or scrutinizing their accounts for any suspicious transactions.
Threat Fabric has been monitoring Anatsa’s activities on Google Play for several years, revealing a pattern of infiltration through various trojanized utility and productivity applications. Notably, a campaign identified in November 2021 resulted in 300,000 downloads, while another in June 2023 recorded 30,000 downloads. A subsequent campaign in February 2024 saw 150,000 downloads.
Most recently, in May 2024, mobile security firm Zscaler reported yet another infiltration of Anatsa on the official Android app store, with two applications masquerading as a PDF reader and a QR reader, collectively achieving 70,000 downloads.
Source: ThreatFabric
The specific Anatsa app identified by Threat Fabric this time is named ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing.’ The researchers noted that this app follows a familiar strategy employed by Anatsa operators in previous instances: maintaining a “clean” appearance until it builds a substantial user base. Once the app gains popularity, malicious code is introduced through an update that retrieves the Anatsa payload from a remote server and installs it as a separate application.
Following this, Anatsa connects to a command-and-control (C2) server, receiving a list of targeted applications to monitor on the compromised device. The latest iteration of the Anatsa app delivered the trojan between June 24 and 30, just six weeks after its initial release on the store.
In response to this threat, Google has since removed the malicious app from its platform. Users who may have installed the app are strongly advised to uninstall it immediately, conduct a comprehensive system scan using Play Protect, and reset their banking credentials.
Given Anatsa’s recurring ability to infiltrate Google Play, users are urged to exercise caution by only downloading apps from reputable publishers, scrutinizing user reviews, being mindful of requested permissions, and minimizing the number of installed applications on their devices.
Update 7/8 – A Google spokesperson provided the following statement to BleepingComputer: “All of these identified malicious apps have been removed from Google Play. Users are automatically protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.”
