Anatsa Android Malware Targets European Users, Infects 150,000 Devices via Google Play
In recent months, a banking trojan called Anatsa has been wreaking havoc on Android devices in Europe. This malware has been infecting devices through droppers hosted on Google Play, posing a significant threat to users’ financial security. Security researchers at ThreatFabric have been closely monitoring the situation and have noticed a surge in Anatsa activity since November, with at least 150,000 infections reported.
The Anatsa campaign is specifically tailored to target users in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic. Each attack wave focuses on specific geographic regions and employs dropper apps designed to reach the “Top New Free” categories on Google Play. This strategy lends them credibility and increases their success rate.
What makes Anatsa particularly dangerous is its ability to evolve and bypass security measures present in Android operating systems up to Android 13. The dropper apps now implement a multi-staged infection process and abuse Android’s Accessibility Service to avoid detection. This service, originally designed to assist users with disabilities, has become a common vector for malware attacks. Despite Google’s efforts to restrict its misuse, malicious actors continue to exploit it successfully.
In the latest Anatsa campaign, the malware operators have used both PDF viewer and fake cleaner apps to deceive users. One example highlighted by ThreatFabric is an app called ‘Phone Cleaner – File Explorer’, which has already garnered over 10,000 downloads. Another app called ‘PDF Reader: File Manager’ recorded more than 100,000 downloads before being removed by Google.
ThreatFabric estimates that the actual number of Anatsa dropper app downloads is closer to 200,000, as they used conservative estimates for their tally. With Anatsa constantly launching new attack waves using fresh dropper apps, the total number of infections is expected to increase further. Already, it has surpassed the 130,000 infections reported in the first half of 2023.
The dropper apps employ a multi-staged approach to avoid detection. They dynamically download malicious components from a command and control (C2) server, making it difficult for security measures to detect and block them. One notable strategy involves the misuse of the Accessibility Service, which allows for automated payload installation without user interaction. This tactic disguises the dropper apps’ permission to access the Accessibility Service as a legitimate feature in the context of a cleaner app.
ThreatFabric discovered that the malicious code update was introduced a week after the dropper app was uploaded on Google Play. It added user interface navigation parameters that match those of Samsung devices, specifically targeting them. However, other droppers used in the same campaign do not contain vendor-specific code, making them a threat to a broader selection of Android devices.
The spread of the Anatsa campaign poses a significant risk of financial fraud to Android users. To protect themselves, users are advised to carefully review user ratings and publisher history before installing any app. It is also recommended to avoid performance-enhancing, productivity, and secure messaging apps that do not come from vendors with an established reputation. When installing new apps, users should scrutinize the requested permissions and deny those unrelated to the app’s purpose.
Google has taken action against the Anatsa campaign by removing all identified dropper apps from Google Play, except for the PDF Reader app. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn or block apps exhibiting malicious behavior, even if they come from sources outside of Google Play.
In conclusion, the Anatsa banking trojan has become a significant threat to Android users in Europe. Its ability to infect devices through dropper apps hosted on Google Play has led to at least 150,000 infections. The malware’s evolving tactics, such as abusing the Accessibility Service, make it difficult to detect and block. Android users must exercise caution when installing apps and prioritize security by reviewing user ratings, publisher history, and requested permissions. With Google’s efforts to remove the malicious apps and protect users through Google Play Protect, there is hope for mitigating the impact of the Anatsa campaign.