Android malware Anatsa has been downloaded from Google Play more than 150,000 times

In recent months, ThreatFabric analysts have observed five distinct campaigns by the Anatsa banking malware targeting users in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic. These malicious applications, disguised as legitimate tools, have been downloaded from Google Play over 150,000 times.

Experts note that each campaign was geographically focused and utilized different dropper apps, specifically designed to climb the rankings in Google Play’s Top New Free category.

Anatsa has recently been disguising itself as PDF management tools and bogus system cleaning and optimization apps, claiming to free up space by eliminating unnecessary files. Notable examples highlighted by researchers include the “Phone Cleaner – File Explorer” app, with over 10,000 downloads, and the “PDF Reader: File Manager” app, boasting more than 100,000 downloads.

ThreatFabric suggests that the reported 150,000 downloads is an approximate figure, with the actual count of malware downloads potentially nearing 200,000.

Google’s security team has since eliminated all applications associated with Anatsa from the official Google Play store.

The detailed technical analysis by researchers indicates that the dropper apps employ a multi-stage strategy to elude detection, sequentially downloading malicious components from the command and control server. This four-stage malware download process seems to adeptly circumvent Google’s security protocols.

Android malware Anatsa has been downloaded from Google Play more than 150,000 times

The report highlights the exploitation of the Accessibility Service by Anatsa droppers. To obtain permission to access the Accessibility Service, they misled victims with the pretext of needing to “hibernate battery draining apps,” which seemed like a credible function for a system performance enhancement app.

A significant feature of Anatsa’s recent campaigns is their focus on targeting the Accessibility Service on Samsung devices. In one analyzed instance, a malicious update was installed on the device just a week following the download of the dropper app, with the malware specifically crafted to interact with the Samsung One UI’s user interface.

Android malware Anatsa has been downloaded from Google Play more than 150,000 times

Given these findings, experts suggest that one of the droppers was tailor-made for Samsung devices, whereas the remaining droppers operate independently of any particular manufacturer.

0 / 5

Your page rank:

Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment