Anatsa Banking Trojans Resurface: Android Users in Europe Under Threat.

The Anatsa banking Trojan campaign has been observed increasingly targeting European banks, according to new data by ThreatFabric researchers.

A new wave of ‘Anatsa’ banking trojans has been targeting Android users in Europe. This threat actor employs malware droppers disguised as legitimate mobile apps available on Google’s Play store to distribute the dangerous banking Trojan named “Anatsa”. The campaign has been active for at least four months and is orchestrated by the same operators who previously targeted victims in the US, Italy, United Kingdom, France, Germany, and other countries.

How does Anatsa spread malware?

Anatsa, the banking Trojan, spreads malware through a sophisticated process that involves malware droppers disguised as legitimate mobile apps. Here’s how it works:

1. Innocent Appearance: The initial droppers appear harmless when uploaded to Google’s Play store. They mimic legitimate apps, making them less suspicious to users.
2. Dynamic Payload Retrieval: After landing on the Play store, the droppers dynamically retrieve malicious code from a remote command and control (C2) server. This allows the attackers to keep their payload updated and adapt to security measures.
3. Automated Installation: One of the droppers, disguised as a cleaner app, exploits Android’s Accessibility Service feature. It uses this feature to automate payload installation without requiring user interaction. This stealthy approach ensures that victims remain unaware of the infection.
4. Targeted Banks: The campaign specifically targets customers of banks in Slovakia, Slovenia, and the Czech Republic. The attackers aim to compromise sensitive financial information.
5. European Focus: The current wave of Anatsa attacks focuses on Android users in Europe, with over 100,000 downloads of the droppers from the Play store since November 2023.

How does Anatsa avoid detection from Google Play?

Anatsa, the banking Trojan, employs a multi-stage approach to evade detection and circumvent security measures imposed by Google Play. Here’s how it manages to avoid detection:

1. Disguised Apps: The malicious apps are disguised as legitimate-looking applications such as PDF viewers, editor apps, and office suites in the office/productivity category. For instance, Phone Cleaner – File Explorer and PDF Reader: File Manager are examples of such apps that have been used in the latest Anatsa campaign. These apps appear innocuous but harbor the dangerous Trojan¹.
2. Dynamic Payload Retrieval: Anatsa uses malware droppers that initially appear harmless when uploaded to Google Play. However, these droppers dynamically retrieve malicious code from a remote command and control (C2) server after being listed on the Play store. This dynamic behavior allows the attackers to keep their payload updated and adapt to security measures.
3. Exploiting Accessibility Service: One of the droppers, disguised as a cleaner app, exploits Android’s Accessibility Service feature. By doing so, it can automate payload installation without requiring user interaction. This stealthy approach ensures that victims remain unaware of the infection¹.
4. Targeted Regions: The current wave of Anatsa attacks focuses on Android users in Europe, with over 100,000 downloads of the droppers from the Play store since November 2023. The attackers specifically target customers of banks in Slovakia, Slovenia, and the Czech Republic.

Rate of infections

The ongoing malware-spreading campaign associated with Anatsa has persisted for more than four years, with a recent surge reported last year. Since November, victims across Europe have unwittingly downloaded malware droppers over 100,000 times, highlighting the widespread impact of the campaign. In a previous iteration during the first half of 2023, the malware achieved over 130,000 installations of its weaponized droppers via Google’s Play Store alone. According to Threatfabric, the total download count for Anatsa droppers on Google Play is estimated to be around 150,000, although researchers caution that this figure may be a conservative estimate, with the actual number likely closer to 200,000, as per the reports.

Mitigation

If you suspect that your Android device may be affected by the Anatsa banking Trojan, here are some critical mitigation steps to safeguard your information:

1. App Removal: Delete the following five apps that have been identified as carriers of the Anatsa malware:
   • Phone Cleaner – File Explorer
   • PDF Viewer – File Explorer
   • PDF Reader – Viewer & Editor
   • Phone Cleaner: File Explorer
   • PDF Reader: File Manager.
2. Vigilance: Be cautious when downloading apps from the Google Play store. Even seemingly legitimate apps can harbor hidden threats. Verify the app’s legitimacy and read user reviews before installation.
3. Accessibility Service Permissions: Review app permissions carefully. Anatsa exploits Android’s Accessibility Service feature to install malicious code in the background without user knowledge. If an app requests this permission unnecessarily, reconsider its installation.
4. Regular Security Updates: Keep your Android operating system and apps up to date. Security patches often address vulnerabilities exploited by malware.
5. Antivirus Software: Install a reputable antivirus or security app on your device. Regularly scan your phone for potential threats.
6. Banking App Security: When accessing banking apps, ensure you are using the official app provided by your bank. Avoid third-party alternatives.
7. Password Hygiene: Use strong, unique passwords for your banking accounts. Enable two-factor authentication wherever possible.

Remember that Anatsa is a banking trojan, designed to steal sensitive information such as login credentials. Taking these precautions will help protect your financial data and personal identity. Stay vigilant and prioritize your device’s security.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.