The Android banking trojan named Anatsa has evolved and its attacks are more targeted, online fraud detection firm ThreatFabric reports.
Active for roughly four years, Anatsa can target more than 600 mobile banking applications worldwide, infecting devices via malicious droppers uploaded to Google Play. Three identified droppers had amassed roughly 30,000 installs via the application store in June last year.
The malware can take over infected devices, allowing its operators to perform various actions on behalf of the victim, including fraudulent transactions.
As part of a campaign that started in November 2023, the attackers expanded their targeting to Slovakia, Slovenia, and Czechia, promoting dropper applications that often reach the top 3 new free applications in Google Play.
To date, the cybersecurity firm observed five attack waves, each focused on a different region, as well as evolved tactics that include a multi-staged infection process, the ability to bypass Android 13’s protections, and abuse of Accessibility Services.
While Google’s recent policies strictly restrict the use of Accessibility Services to applications that declare a clear explanation for requiring the permission, Anatsa’s operators managed to circumvent that by publishing a dropper that claimed to need the permissions to “hibernate draining apps”.
One week after the application was published in Google Play, the attackers pushed an update that enabled it to execute malicious actions via Accessibility Services, including clicking buttons. The dropper specifically targeted Samsung devices.
“Based on our findings, we believe there is potential for future adaptations to target other manufacturers. In contrast, other droppers in the campaign did not contain such manufacturer-specific code, posing a threat to all devices regardless of the vendor,” ThreatFabric says.
To avoid detection, the malware developers implemented a multi-staged infection process that included the downloading of a DEX file from a remote location and its dynamic loading in memory. ThreatFabric identified three droppers employing dynamically loaded DEX files.
“As of this report, the current campaign involves five droppers with over 100,000 total installations. We anticipate the continuation of this campaign, with new droppers appearing in the official store and an expansion into additional targeted regions. The threat actors have a history of shifting focus between regions within a single campaign,” ThreatFabric notes.
“All of the apps identified in the report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson told SecurityWeek in an emailed comment.
*Updated with a statement from Google.
Related: Xenomorph Android Banking Trojan Targeting Users in US, Canada
Related: New ‘MMRat’ Android Trojan Targeting Users in Southeast Asia
Related: ‘Nexus’ Android Trojan Targets 450 Financial Applications
