Banking Trojan Anatsa Escalates Threats on Android Devices
In the ever-evolving landscape of cyber threats, a banking trojan named Anatsa has been making headlines with its alarming proliferation. Security experts are closely monitoring this malware as it has been found in a multitude of malicious Android apps, which have been downloaded from Google Play an astonishing 5.5 million times.
These apps are not just ordinary applications; they are a gateway for adware and malware to circulate through the Android ecosystem. Anatsa, in particular, has cast a wide net, targeting approximately 650 apps worldwide. Its reach extends across Asia, the European Union, the United Kingdom, and the United States. The trojan’s modus operandi involves stealing sensitive user credentials, such as banking information, to facilitate fraudulent e-banking transactions.
Earlier this year, a report from Threat Fabric shed light on the severity of the issue, revealing that around 15,000 infections originated from Google Play via decoy apps associated with product software. Now, Anatsa has resurfaced, deploying through two new decoy apps named PDF Reader and QR Reader. By the time these findings were published, the trojan had already affected 70,000 installations, highlighting a significant oversight in Android’s app review process.
Anatsa employs a multi-stage payload delivery system that uses DEX files to evade detection. This sophisticated mechanism includes anti-analysis checks to prevent execution in any sandboxed environments. Once installed, the trojan can upload bots, scan apps, and download injections tailored to the user’s profile and intended actions.
But Anatsa isn’t the only threat on the radar. In recent months, over 90 different apps on Google Play were identified, amassing 5.5 million downloads. These apps masqueraded as various Android tools, photo utilities, health apps, and personalization platforms. Among the most prevalent threats were Joker, Coper, and Facestealer, known for spreading adware.
Despite representing only 3% of total downloads on Android systems, Anatsa and Coper are considered some of the most dangerous threats. Security experts consistently emphasize the importance of downloading apps from verified sources and carefully reading terms and conditions to avoid falling victim to fraudulent activities and data theft.
Users are advised to scrutinize the permissions of any new app they install, steering clear of those that request access to sensitive information like contacts, SMS, or accessibility services.
While the names of the other 90+ apps removed by Google for security reasons have not been disclosed, it has been confirmed that following a security report by Zscaler, two primary dropper apps associated with Anatsa were eliminated from Google Play.
Image: DIW-Aigen
