A hacker uses malware droppers disguised as legitimate mobile apps on Google’s Play Store to distribute a dangerous banking Trojan named “Anatsa” to Android users in several European countries.
The campaign has been ongoing for at least four months and is the latest salvo from the operators of the malware, which first emerged in 2020 and has previously claimed victims in the United States, Italy, United Kingdom, France, Germany and other countries.
Prolific rate of infections
ThreatFabric researchers have been monitoring Anatsa since its initial discovery and have identified the new wave of attacks starting in November 2023. In a report this week, the fraud detection services provider described the attacks as taking place in multiple distinct waves against bank customers in Slovakia, Slovenia and the Czech Republic.
So far, Android users in the targeted regions have downloaded the malware droppers from Google’s Play Store at least 100,000 times since November. In a previous campaign monitored by ThreatFabric during the first half of 2023, threat actors amassed over 130,000 installs of its weaponized droppers for Anatsa from Google’s mobile app store.
ThreatFabric attributed the relatively high infection rates to the phased approach used by droppers on Google Play to deliver Anatsa to Android devices. When droppers are initially loaded onto Play, there is nothing to suggest malicious behavior. It is only after arriving on Play that droppers dynamically fetch code to perform malicious actions from a remote command and control (C2) server.
One of the droppers, masquerading as a cleaner app, claimed to request permissions for Android’s Accessibility Service feature for what appeared to be a legitimate reason. Android Accessibility Service is a special type of feature designed to make it easier for users with disabilities and special needs to interact with Android apps. Threat actors have often leveraged this feature to automate payload installation on Android devices and eliminate the need for any user interaction during the process.
Multi-stage approach
“Initially the [cleaner] app appeared harmless, with no malicious code, and its AccessibilityService was not involved in any malicious activity,” ThreatFabric said. “However, a week after its release, an update introduced malicious code. This update altered the functionality of AccessibilityService, allowing it to perform malicious actions such as automatically clicking buttons once it received a configuration from the C2 server,” the vendor noted.
The files dynamically retrieved by the dropper from the C2 server included configuration information for a malicious DEX file for Android application code distribution; a DEX file itself with malicious code to install the payload, setup with a payload URL, and finally code to download and install Anatsa on the device.
The multi-stage, dynamically loaded approach used by the threat actors allowed each of the droppers used in the latest campaign to evade the tougher accessibility service restrictions implemented by Google in Android 13, Threat Fabric said.
For the latest campaign, the Anatsa operator chose to use a total of five droppers disguised as free device cleaner apps, PDF viewers and PDF reader apps on Google Play. “These applications often reach the top three positions in the ‘Top New Free’ category, improving their credibility and lowering the guard against potential victims, while increasing the chances of successful infiltration,” ThreatFabric said in its report . Once installed on a system, Anasta can steal credentials and other information that allows the threat actor to take over the device and subsequently access the user’s bank account and steal funds.
Like Apple, Google has implemented numerous security mechanisms in recent years make it harder for threat actors to sneak in malicious apps in Android devices via its official mobile app store. One of the most significant among them is Google Play Protect, a built-in Android feature that scans app installations in real time for signs of potentially malicious or harmful behavior, then alerts or disables the app if it detects anything suspicious. Android’s restricted settings feature has also made it much more difficult for threat actors to attempt to infect Android devices via locally ported apps or apps from unofficial application stores.
Even so, the threat actors managed to continue doing so introduce malware onto Android devices via Play by abusing features like Android’s AccessibilityService or by using multi-stage infection processes and using package installers that mimic those in the Play Store to transfer malicious apps, ThreatFabric said.