UPDATE: A Google spokesperson reached out to us to give us the following statement. “All of these malicious apps identified have been removed from Google Play and the developers have been banned. Google Play Protect also protects users by automatically removing apps known to contain this malware on Android devices running Google Play Services.”
ThreatFabric analysts tracked campaigns using apps located in the Google Play Store that deliver the banking trojan called Anatsa. The apps involved in this campaign have over 30,000 installs. The campaign targets 600 financial apps from around the world. The goal is to steal credentials used by customers on banking apps and initiate fraudulent transactions by performing Device-Takeover Fraud (DTO).
Anatsa’s latest campaign began in March with the aim of creating fraudulent bank transactions
How the fraud cycle works with the Anatsa trojan
And once again, the dropper app has been reported to Google and removed from the Play Store. Three more droppers were discovered in the Play Store last month and this month. It takes a couple of days to a couple of weeks for these malicious apps to be listed in the Play Store, and as of right now, there is still an Anatsa dropper listed in Google’s Android app storefront.
According to ThreatFabric, “Our analysis also reveals that the actors can have several apps published on the store at the same time under different developer accounts, however, only one acts as malicious, while the other is a backup to be used after removal. Such a tactic helps actors to maintain very long campaigns, minimizing the time it takes to post another dropper and continue the distribution campaign”.
Once a device is infected, the trojan can collect sensitive information including credentials, credit card details, balance and payment information. This data is used by the attackers to create transactions using the victim’s bank account. Since these transactions use the same devices typically used by the targeted bank’s customers, it is difficult for anti-fraud systems to detect illegal transactions.
Make sure you don’t have any of these five apps on your Android phone
In 2021, ThreatFabric discovered a previous Anatsa campaign on Google Play when the trojan was installed over 300,000 times by apps posing as PDF scanners, QR code scanners, Adobe Illustrator apps and fitness tracker apps.
PDF Reader – Edit & View PDF-lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools
PDF Reader & Editor-com.proderstarler.pdfsignature
PDF Reader & Editor-moh.filemanagerrespdf
All Document Reader & Editor-com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs
All document readers and viewers-com.muchlensoka.pdfcreator
One of Anatsa’s dropper apps
Even if they have been kicked out of the play store, if they are still installed on your phone, they can cause harm. And remember, these are banking trojans that are trying to drain your bank accounts. So, if you have any of these five on your Android phone, delete them immediately if not faster. And try to check your bank balance maybe several times a day to make sure nothing funny is going on.
#Android #banking #trojan #drain #online #bank #account #delete #apps