The Anatsa banking trojan has sneaked into Google Play as soon as extra through an app posing as a PDF viewer that counted greater than 50,000 downloads.
The malware turns into lively on the system instantly after putting in the app, monitoring customers launching North American banking apps and serving them an overlay that enables accessing the account, keylogging, or automating transactions.
In response to Risk Material researchers who noticed the most recent marketing campaign and reported it to Google, Anatsa reveals customers a pretend message after they open the focused apps, informing of a scheduled banking system upkeep.
The notification is displayed on prime of the banking app’s UI, obscuring the malware’s exercise within the background and stopping victims from contacting their financial institution or checking their accounts for unauthorized transactions.
Risk Material has been monitoring Anatsa on Google Play for years, uncovering a number of infiltrations beneath pretend or trojanized utility and productiveness instruments.
A marketing campaign uncovered in November 2021 achieved 300,000 downloads, one other uncovered in June 2023 had 30,000 downloads, and one other one disclosed in February 2024 reached 150,000 downloads.
In Might 2024, cell safety agency Zscaler reported that Anatsa had achieved yet one more infiltration on Android’s official app retailer, with two apps posing as a PDF reader and a QR reader, collectively amassing 70,000 downloads.
The Anatsa app that Risk Material found on Google Play this time is ‘Doc Viewer – File Reader,’ printed by ‘Hybrid Vehicles Simulator, Drift & Racing.’
Supply: ThreatFabric
The researchers report that this app follows a sneaky tactic Anatsa operators demonstrated in earlier instances too, the place they hold the app “clear” till it positive factors a considerable userbase.
As soon as the app turns into sufficiently standard, they introduce malicious code through an replace that fetches an Anatsa payload from a distant server and installs it as a separate software.
Then, Anatsa connects to the command-and-control (C2) and receives a listing of focused apps to observe for on the contaminated system.
The newest Anatsa app delivered the trojan between June 24 and 30, six weeks after its preliminary launch on the shop.
Google has since eliminated the malicious app from the shop.
In the event you put in the app, it’s endorsed that you just uninstall it instantly, run a full system scan utilizing Play Defend, and reset your banking account credentials.
Anatsa periodically finds methods to infiltrate Google Play, so customers ought to solely belief apps from respected publishers, test consumer opinions, take note of the requested permissions, and hold the variety of put in apps in your system on the obligatory minimal.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy methods.
Drawing from Wiz’s detections throughout 1000’s of organizations, this report reveals 8 key methods utilized by cloud-fluent menace actors.
