Source: Profit_Image via Shuttertock
A threat actor is using malware droppers disguised as legitimate mobile apps on Google's Play store to distribute a dangerous banking Trojan dubbed "Anatsa" to Android users in several European countries.
The campaign has been ongoing for at least four months and is the latest salvo from the operators of the malware, which first surfaced in 2020 and has previously notched victims in the US, Italy, United Kingdom, France, Germany, and other countries.
Prolific Rate of Infections
Researchers from ThreatFabric have been monitoring Anatsa since its initial discovery and spotted the new wave of attacks beginning in November 2023. In a report this week, the fraud detection vendor described the attacks as unfolding in multiple distinct waves targeting customers of banks in Slovakia, Slovenia, and the Czech Republic.
So far, Android users in the targeted regions have downloaded droppers for the malware from Google's Play store at least 100,000 times since November. In a previous campaign during the first half of 2023 that ThreatFabric tracked, the threat actors accumulated over 130,000 installations of its weaponized droppers for Anatsa from Google's mobile app store.
ThreatFabric attributed the relatively high infection rates to the muti-stage approach the droppers on Google Play use to deliver Anatsa on Android devices. When the droppers initially get uploaded to Play, there's nothing about them to suggest malicious behavior. It's only after they land on Play that the droppers dynamically retrieve code for executing malicious actions from a remote command and control (C2) server.
One of the droppers, disguised as a cleaner app, claimed to require permissions to Android's Accessibility Service feature for what appeared to be a legitimate reason. Android's Accessibility Service is a special type of feature designed to make it easier for users with disabilities and special needs to interact with Android apps. Threat actors have frequently exploited the feature to automate payload installation on Android devices and eliminate the need for any user interaction during the process.
Multi-Stage Approach
"Initially the [cleaner] app appeared harmless, with no malicious code and its AccessibilityService not engaging in any harmful activities," ThreatFabric said. "However, a week after its release, an update introduced malicious code. This update altered the AccessibilityService functionality, enabling it to execute malicious actions such as automatically clicking buttons once it received a configuration from the C2 server," the vendor noted.
The files that the dropper dynamically retrieved from the C2 server included configuration info for a malicious DEX file for distributing Android application code; a DEX file itself with malicious code for payload installation, configuration with a payload URL, and finally code for downloading and installing Anatsa on the device.
The multi-stage, dynamically loaded approach used by the threat actors allowed each of the droppers that they used in the latest campaign to circumvent the tougher AccessibilityService restrictions Google implemented in Android 13, Threat Fabric said.
For the latest campaign, the operator of Anatsa chose to use a total of five droppers disguised as free device-cleaner apps, PDF viewers, and PDF reader apps on Google Play. "These applications often reach the Top-3 in the 'Top New Free' category, enhancing their credibility and lowering the guard of potential victims while increasing the chances of successful infiltration," ThreatFabric said in its report. Once installed on a system, Anasta can steal credentials and other information that allow the threat actor to take over the device and later log into the user's bank account and steal funds from it.
Like Apple, Google has implemented numerous security mechanisms in recent years to make it harder for threat actors to sneak malicious apps into Android devices via its official mobile app store. One of the most significant among them is Google Play Protect, a built-in Android feature that scans app installations in real-time for signs of potentially malicious or harmful behavior, then alerts or disables the app if it finds anything suspicious. Android's restricted settings feature has also made it much harder for threat actors to try and infect Android devices via sideloaded apps — or apps from unofficial application stores.
Even so, threat actors have managed to continue to sneak malware onto Android devices via Play by abusing features like Android's AccessibilityService, or by using multi-stage infection processes and by using package installers that mimic those on Play store to sideload malicious apps, ThreatFabric said.