Anatsa Android malware downloaded 150,000 times via Google Play

The Anatsa banking trojan has been targeting users in Europe by infecting Android devices through malware droppers hosted on Google Play.

Over the past four months, security researchers noticed five campaigns tailored to deliver the malware to users in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic.

Researchers at fraud detection company ThreatFabric noticed an increase of Anatsa activity since November, with at least 150,000 infections.

Each attack wave focuses on specific geographic regions and employs dropper apps crafted to reach the “Top New Free” categories on Google Play, lending them credibility and increasing the success rate.

ThreatFabric's report notes that the dropper apps now implement a multi-staged infection process and have evolved to abuse Android’s Accessibility Service to bypass security measures present in versions of the mobile operating system up to Android 13.

Last summer, ThreatFabric warned of another Europe-focused Anatsa campaign that also used dropper apps hosted on Google Play, primarily fake PDF viewer apps.

Anatsa dropper apps

In the latest Anatsa campaign, the malware operators uses both PDF and fake cleaner apps that promise to free up space on the device by deleting unnecessary files.

One example that ThreatFabric's researchers highlights is an app named ‘Phone Cleaner – File Explorer’, which was counted over 10,000 downloads.

ThreatFabric told BleepingComputer that one Anatsa campaign also used another app called 'PDF Reader: File Manager', which recorded more than 100,000 downloads.

At the time of writing, Google removed all Anatsa dropper apps from the official Android store except for the PDF Reader, which continues to be available.

ThreatFabric researchers told us that the 150,000 download count for Anatsa droppers on Google Play is a conservative one and the real figure would be closer to 200,000 because they used the lower estimates for the tally.

The five malicious apps are:

1. Phone Cleaner - File Explorer (com.volabs.androidcleaner)
2. PDF Viewer - File Explorer (com.xolab.fileexplorer)
3. PDF Reader - Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
4. Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
5. PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)

Considering that Anatsa constantly launches new attack waves using fresh dropper apps, the total number of downloads is expected to further increase.  Already, it has surpassed the 130,000 that Anatsa achieved in the first half of 2023.

Technical details

Technical insights from ThreatFabric’s report reveal that the dropper apps use a multi-staged approach to avoid detection, dynamically downloading malicious components from a command and control (C2) server.

A notable strategy involves the misuse of AccessibilityService, historically a vector for malware to automate payload installation without user interaction.

Malware abusing this powerful Android service created to aid users with disabilities occurs frequently, despite Google’s recent policy updates that introduced  restrictions to fight the misuse.

Anatsa droppers' permission to access to the Accessibility Service was disguised by the need to “hibernate battery-draining apps,” which appears as a legitimate feature in the context of a cleaner app.

Threat Fabric found in one case that the malicious code update was introduced a week after the dropper app was uploaded on Google Play and added user interface navigation parameters that match those of Samsung devices (One UI).

Other droppers used in the same campaign do not contain vendor-specific code, thus targeting a broader selection of Android devices.

The malicious code update is downloaded from the C2 in four distinct steps, likely a tactic to evade detection and flagging by Google’s code review mechanisms.

• Configuration Retrieval: Downloads configuration from the C2 server containing essential strings for the malicious code, avoiding immediate detection by hiding suspicious indicators.
• DEX File Download: Retrieves a DEX file with the malicious code responsible for payload installation, activated by the previously downloaded strings.
• Payload URL Configuration: Downloads a configuration file with the URL for the payload, allowing attackers to update the payload link as needed.
• Payload Installation: Uses the DEX file to download, install, and launch the Anatsa malware, completing the infection process.

The spread of the Anatsa campaign is significant and comes with the risk of financial fraud. Android users are recommended to carefully review user ratings and publisher history before installing an app.

A good way to stay protected is to avoid performance-enhancing, productivity, and secure messaging apps that don’t come from vendors with an established reputation.

When installing new apps, it is strongly recommended to check the list of requested permissions and deny those unrelated to the purpose of the app (e.g. a photo editing app does not need access to the microphone).

When installing new apps, carefully scrutinize the requested permissions, particularly those related to the Accessibility Service, which should be seen as a red flag for potential malware threats.

Update 2/19 - A Google spokesperson has sent BleepingComputer the following comment:

All of the apps identified in the report have been removed from Google Play.

Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.