unauthorized transactions Archives

AppWizard

March 6, 2025

Android App With 220,000+ Downloads From Google Play Installs Banking Trojan

A sophisticated Android banking trojan campaign, known as Anatsa or TeaBot, has been downloaded over 220,000 times from the Google Play Store before its removal. The malware targets global financial institutions using a multi-stage infection process, deploying fake login overlays and exploiting accessibility services to steal user credentials and perform unauthorized transactions. The malicious app disguised itself as a "File Manager and Document Reader" and acted as a dropper, retrieving additional payloads from remote servers. It uses reflection-based code execution to evade detection and conducts anti-emulation checks to confirm it is on a genuine device. Anatsa requests critical permissions, including accessibility services and SMS access, to log keystrokes and bypass two-factor authentication. The campaign primarily targets users in Europe, especially Slovakia, Slovenia, and Czechia, but has the potential to expand to markets like the U.S., South Korea, and Singapore. It targets over 600 banking and cryptocurrency applications, enabling on-device fraud through automated transaction systems. Users are advised to avoid sideloading apps, audit app permissions, and monitor for updates from official stores. Google has removed the identified dropper, but similar threats persist. Indicators of compromise include specific network URLs and an MD5 hash for a sample.

AppWizard

March 6, 2025

Malicious Android App on Google Play Compromises 220,000+ Devices

Security researchers at ThreatLabz have identified a malware campaign operating through the Google Play Store that disseminated the Anatsa banking trojan, also known as TeaBot. The malicious app, disguised as a file manager and document reader, was downloaded over 220,000 times before its removal. The app initiated a multi-stage payload retrieval process after users granted accessibility permissions, allowing it to download the Anatsa payload and turn infected devices into tools for financial fraud. Anatsa uses overlay attacks and credential harvesting techniques, displaying fake login screens for banking applications to capture user credentials. It targets financial institutions across North America, Europe, and Asia, particularly mobile banking platforms. The malware employs evasion techniques, including delayed activation and encrypted communication, and maintains persistence by checking for accessibility service permissions. Initial data indicates concentrated infections in regions with high mobile banking usage, and the app's multilingual interface suggests a global targeting strategy. Google removed the app within 48 hours of the disclosure but it had been present for approximately eight weeks before detection. Google has initiated a mass uninstallation campaign for affected devices, while users are advised to perform factory resets, monitor financial accounts, enable Google Play Protect, and avoid granting permissions to unfamiliar apps. Investigations are ongoing to identify the threat actors, with links to Eastern European cybercrime syndicates suggested.

Tech Optimizer

February 19, 2025

Trojanized game PirateFi discovered on Steam

Free downloads from torrent trackers pose significant risks of malware, prompting security solutions to quarantine suspicious files. A recent incident involved the game PirateFi, which was removed from Steam after being flagged for harboring malware that stole browser cookies and compromised online accounts. The game attracted minimal attention, with around 1,500 downloads and reports of unauthorized transactions among players. Valve advised users to run security scans and suggested reformatting their operating systems, which confused many. The developers, Seaworth Interactive, raised suspicions due to their promotional tactics. Malware incidents on Steam are not new, with past cases like Dynostopia affecting players. Gamers are advised to avoid cheats, choose well-reviewed games, and install dedicated gaming antimalware for protection. Kaspersky Premium offers a gaming mode that minimizes interruptions during gameplay.

AppWizard

October 1, 2024

Android Users At Risk! Dangerous Crypto App Still Hiding On Devices: Here’s What To Do

Android users are facing a security threat from the WalletConnect – Airdrop Wallet app, which was available on the Google Play Store for several months and stole approximately ,000 from users. The app was designed to exploit the credibility of WalletConnect, deceiving users into downloading it. It evaded detection for over five months by manipulating its ranking with fake positive reviews. Once installed, the app prompted users to connect their cryptocurrency wallets, leading them to phishing websites and counterfeit applications, resulting in unauthorized transactions. The app has been removed after being downloaded by over 10,000 users, but risks remain for those who still have it installed. Users are advised to delete the app, change their wallet credentials, run anti-malware scans, monitor accounts for suspicious activity, verify app legitimacy before downloading, and enable two-factor authentication on their accounts.

AppWizard

October 1, 2024

Android users, delete this ‘dangerous’ crypto app from your phones – Times of India

A cybersecurity firm identified a malicious application called WalletConnect – Airdrop Wallet in the Google Play Store, designed to steal cryptocurrency from users. The app evaded detection for over five months after its introduction in March 2024, targeting Android users and employing evasion techniques to appear legitimate. It exploited the credibility of the WalletConnect protocol and siphoned approximately ,000 (around 58.6 lakh) in cryptocurrency from victims. The app achieved over 10,000 downloads by using fake positive reviews and advanced crypto drainer toolkits to manipulate search rankings. Users were misled into connecting their wallets and directed to phishing sites, resulting in unauthorized transactions. Despite some negative reviews, the developers countered with fake positive feedback to maintain the app's appearance of legitimacy.

AppWizard

August 3, 2024

Cybersecurity firm warns Android users to watch out for money-draining malware

Researchers at Cleafy have identified a new strain of Android malware called BingoMod, classified as a remote access trojan (RAT), which can siphon funds from users' bank accounts. BingoMod uses "smishing" to trick users into downloading it by masquerading as a legitimate antivirus application, specifically imitating AVG Antivirus & Security. Once installed, it prompts users to activate Accessibility Services, granting the malware extensive permissions to infiltrate devices. BingoMod captures login credentials, takes screenshots, and intercepts text messages, enabling on-device fraud (ODF) and unauthorized transactions. It can also disable existing security applications and uninstall them, increasing its operational effectiveness. The malware can spread further via text messages and is actively being developed to evade antivirus detection, with indications that its creator may be based in Romania. Users are advised to avoid links from unknown sources and to download applications only from reputable platforms like the Google Play Store, where Play Protect can detect and block BingoMod.

Tech Optimizer

July 6, 2024

Android banking trojan evolves to evade detection and strike globally – CyberGuy

The Medusa Android trojan has made changes to evade detection, including requesting fewer permissions and adding new ones like Broadcasting SMS and Package Management. It is targeting people globally, with two different botnet groups operating in Turkey, Canada, the US, Italy, and France. The hackers are using new tactics, such as installing the malware through apps downloaded from untrusted sources.

AppWizard

June 26, 2024

Snowblind is a new Android banking malware abusing a safety tool

Snowblind is a first-of-its-kind Android banking malware that manipulates a Linux kernel safety feature called "seccomp" to bypass security checks and anti-tampering mechanisms. It exploits accessibility services to gain system-level access to an infected device and can disable security features such as two-factor authentication and biometric verification. The malware targets banking Android apps in Southeast Asia and is effective on all modern Android devices. Promon has developed protective measures against Snowblind and other potential variants of seccomp-based attacks.