Infiltrating Google Play, a Trojan Horse Awaits

The notorious Android banking trojan Anatsa has once again infiltrated Google Play, this time disguising itself as a PDF viewer that managed to amass over 50,000 downloads. According to the cybersecurity researchers at Threat Fabric, the malware springs into action immediately after the app is installed on a user’s device, tracking the launch of North American banking apps and presenting the victim with a deceptive overlay.

This overlay allows the malware to access the user’s account, log their keystrokes, or even automate transactions without the victim’s knowledge. When the targeted banking apps are opened, Anatsa displays a fake message about scheduled system maintenance, obscuring its malicious activities in the background and preventing users from contacting their bank or checking for unauthorized transactions.

Threat Fabric has been closely monitoring Anatsa’s repeated attempts to infiltrate Google Play over the years, uncovering multiple campaigns where the trojan was hidden within various utility and productivity apps. The latest discovery, the “Document Viewer – File Reader” app published by “Hybrid Cars Simulator, Drift & Racing,” follows a familiar tactic employed by the Anatsa operators.

The app initially appears harmless, but once it gains a significant user base, a malicious update is pushed that fetches an Anatsa payload from a remote server and installs it as a separate application. This payload then connects to the malware’s command-and-control (C2) server, receiving instructions to monitor the device for targeted banking apps.

Anatsa’s malicious capabilities are extensive, allowing it to:

Monitor and track banking app activity: Anatsa can detect when a user launches a targeted banking app and present a fake login screen to steal login credentials.

Display fake overlays: Anatsa can display fake messages or overlays to deceive users into providing sensitive information or performing malicious actions.

Automate transactions: Anatsa can automate transactions without the user’s knowledge or consent, draining their bank account.

Keylog user activity: Anatsa can log user keystrokes, capturing sensitive information such as login credentials, credit card numbers, and PINs.

Anatsa’s operators have been using various tactics to evade detection, including:

Using fake or stolen developer credentials: Anatsa’s operators have been using fake or stolen developer credentials to publish malicious apps on Google Play.

Employing code obfuscation: Anatsa’s code is often obfuscated to make it difficult for security researchers to analyze and detect.

Updating malware payloads: Anatsa’s operators regularly update the malware payload to evade detection and improve its capabilities.

Google has since removed the malicious app from the Play Store, but users who have already installed it are advised to uninstall it immediately, run a full system scan using Play Protect, and reset their banking account credentials. To stay protected from future Anatsa attacks, users should be cautious when downloading apps, only trust reputable publishers, carefully review user reviews and requested permissions, and keep the number of installed apps to a minimum.