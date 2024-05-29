



Over 90 malicious mobile apps have been downloaded more than 5.5 million times from the Google Play Store in the past few months, and researchers have found that the apps are spreading a variety of malware, including the banking Trojan “Anatsa.”

The apps, which Zscaler researchers discovered over the past few months, act as decoys for malware and include a variety of PDF and QR code readers, as well as file managers, editors and translation features, Zscaler said in a blog post published yesterday.

Anatsa (aka Teabot) is a sophisticated Trojan that first tricks users into installing its payload using a second stage dropper application that appears harmless to the user, and then uses a variety of workarounds to steal sensitive banking credentials and financial information from financial applications around the world.

“This can be achieved through the use of overlay and accessibility techniques, allowing data to be covertly intercepted and collected,” Zscaler's Himanshu Sharma and Gajanana Kond said in the post.

According to Zscaler, Anatsa is one of the most “influential” pieces of malware currently being distributed on Google Play, but other malware also includes Joker fleeceware, the credential-stealing Facestealer, various types of adware, and the Coper Trojan has also been seen in the mix.

Additionally, Zscaler's analysis found that the apps most commonly used to hide malware in mobile app stores were tools like the one Anatsa lurks in, followed by personalization and photo apps.

Bypassing Google Play malware detection

The attackers behind Anaza, which can exfiltrate data from over 650 financial apps, have primarily targeted Android users in Europe so far, but Zscaler reports that the malware is also “actively targeting” banking apps in the U.S. and the U.K. The researchers noted that attackers appear to be expanding their targeting to financial institutions in more European countries, including Germany, Spain, Finland, South Korea and Singapore.

While Google goes to great lengths to stop malicious apps from making it onto its mobile app stores, Zscaler says Anatsa uses an attack vector to get around these protections – by using a dropper technique that makes the initial app appear clean upon installation.

“However, once installed, the application downloads malicious code and staged payloads from a command-and-control (C2) server disguised as benign application updates,” the researchers wrote. “This strategic approach allows the malware to be uploaded to the official Google Play store and evade detection.”

Anatsa in Attack Mode

The researchers identified numerous malicious apps, but specifically two malicious Anatsa payloads that were distributed via apps disguised as PDF and QR code reader applications. These types of apps often attract large numbers of installations, which “further serves to trick victims into believing these applications are genuine,” the researchers noted.

Anatsa uses remote payloads retrieved from its command and control (C2) server to infect devices for further malicious activity. Once installed, it launches a dropper application to download the next stage payload.

Researchers note that the Trojan also uses other deception tactics in its attack vector that make it hard for users and threat hunters to detect. Before executing, it checks the device environment and device type, likely to detect a sandbox or analysis environment. It then loads the third stage and final payload only if it is deemed safe.

Once loaded, Anatsa requests various permissions such as SMS and accessibility options, then establishes communication with its C2 server to perform various activities, including registering the infected device and retrieving a list of applications for code injection.

To steal users' financial data, Anatsa downloads a target list of financial apps from the C2 and checks if the app is installed on the device, which returns the information to the C2, which displays fake login pages for the installed apps to trick the user into providing their credentials, which are then sent back to an attacker-controlled server.

Staying vigilant against mobile cyber threats

Despite Google's best efforts, it has so far been impossible to keep malicious Android apps out of the Google Play Store. As cybercriminals continue to evolve and use increasingly sophisticated tactics to create malware, “it will be critical for organizations to implement proactive security measures to protect their systems and sensitive financial information,” Zscaler researchers noted.

To help enterprise mobile users avoid breaches, they advise, organizations should adopt so-called “zero trust” architectures that focus on user-centric security and ensure all users are “authenticated and authorized before accessing resources, regardless of device or location.”

Android users can also protect their corporate networks by avoiding downloading mobile applications while connected to the corporate network, and by exercising good judgment and watching out for suspicious app activity even when downloading apps from trusted app stores.

