As reported by Bleeping Computer, Anatsa, a banking trojan, is running amok on European smartphones. While we’ve seen Anatsa plaguing smartphones in the past, this specific Anatsa campaign is targeting the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic, and was first detected by researchers from ThreatFabric in November.
Since then, Anatsa has infected at least 150,000 smartphones, although researchers estimate that number could be as high as 200,000. The bad actors behind the malware droppers (apps designed to deliver malware) are clever, too, attaching their malicious software to apps designed to float to the top three spots of the “Top New Free” categories on the Play Store. If an app shows up here, more users may be enticed to try it out, growing the number of victims the malware can infect.
How does Anatsa work?
When you install an Anatsa app on your smartphone, it targets Android’s Accessibility Service feature. This service, which is designed to help make Android more accessibile to the largest number of users regardless of ability, has been the entry point for many types of malware, since it makes it possible for malicious software to install in the background without the user’s knowledge.
Google has targeted this type of misuse of Accessibility Service, but malware finds a way. This time around, these Anatsa apps were able to sneak past by offering a fake “hibernate battery-draining apps” feature. While the end user thinks they’re enabling a feature that puts certain apps to sleep in the background, they’re really giving Anatsa apps permission to use Accessibility Service.
Once Accessibility Service is enabled for the app, it downloads specific parts of the malicious code, not the whole thing. This is to stay under the radar: If the app pulled in all of the malicious code at once, Android might notice and terminate the process. Next, the dropper downloads a file with the malicious code used to install the actual malware on your device. From here, the app downloads a file with the link for the malware. Finally, it downloads and launches the malware on your phone.
Anatsa is a banking trojan, so it’s designed to steal your banking information, such as the login to your banks. Bad actors can then use this data to steal your money or identity, which makes this a particularly nasty form of malware.
Which apps contain Anatsa malware?
According to the research, the following five apps were responsible for the 150,000 (or 200,000) Anatsa downloads in Europe:
- Phone Cleaner – File Explorer
- PDF Viewer – File Explorer
- PDF Reader – Viewer & Editor
- Phone Cleaner: File Explorer
- PDF Reader: File Manager
Of course, if you recognize any of these names, and have any of these apps on your device, delete them ASAP. Luckily, you won’t be able to download them anymore: Google has since removed them from the Play Store. However, that alone won’t remove them from devices they’re installed on. As such, make sure you aren’t running any of these apps, even if you don’t live in the targeted countries.
How to protect yourself from malware droppers
Apps containing malware or the instructions to install malware are figuring out new ways to trick users into downloading them. However, there are some usual best practices you can employ to protect yourself going forward.
Firstly, steer clear of any apps that advertise themselves as enhancing the performance or quality of your phone, unless they come from a recognizable name with a large favorable following. Malicious users know customers look for these types of apps, and design their droppers to look like them.
As you start to become more skeptical of these apps, take a closer look at their Play Store pages, as well. Make sure the copy is well written and free of simple spelling and grammar mistakes. A legitimate app is usually careful about getting these things right. In addition, make sure the images are high quality and actually show off what the app is advertising itself to be.
Finally, take a scroll through the reviews. Check out recent reviews, as well as the most critical ones, looking for anyone complaining that the app makes their phone behave worse. Some might actually call out the app for installing malware outright, so look out for that. If the reviews seem off, or if there are reviews for a seemingly different app in the past, it’s best to not bother with the app to begin with.
Leave a Reply
You must be logged in to post a comment.