A new wave of attacks has hit Android users in Europe, with malware droppers disguised as legitimate mobile apps on Google’s Play store being used to distribute a dangerous banking Trojan named “Anatsa.” The threat actors behind this campaign have been active for at least four months, primarily targeting customers of banks in Slovakia, Slovenia, and the Czech Republic.
Since November 2023, Android users in the targeted regions have downloaded droppers for the malware from Google’s Play store at least 100,000 times. This represents a continued trend of the threat actors exploiting the mobile app store for their malicious activities. The relatively high infection rates are attributed to the multi-stage approach that the droppers use to deliver the Anatsa Trojan on Android devices.
One recent tactic employed by the threat actors involved disguising a dropper as a cleaner app that required permissions to Android’s Accessibility Service feature. Although the app initially appeared harmless, an update introduced malicious code that altered the AccessibilityService functionality, allowing it to execute malicious actions upon receiving a configuration from the command and control (C2) server.
The files retrieved from the C2 server included a malicious DEX file, configuration info, and a payload URL, ultimately leading to the installation of the Anatsa Trojan on the device. It has been noted that the threat actors used a total of five droppers disguised as free device-cleaner apps, PDF viewers, and PDF reader apps on Google Play to execute their campaign.
Despite the security mechanisms implemented by Google in recent years, including Google Play Protect, threat actors have continued to exploit Android devices via malicious apps. The multi-stage, dynamically loaded approach used by the threat actors in this campaign allowed the droppers to circumvent the tougher AccessibilityService restrictions in Android 13. This suggests that threat actors are continually adapting their tactics to evade security measures.
This ongoing threat underscores the importance of remaining vigilant when downloading apps from digital marketplaces and implementing robust security measures on mobile devices. The growing sophistication of malware campaigns targeting Android users reinforces the need for continued vigilance and proactive security practices.
The latest campaign targeting Android users in Europe is a stark reminder of the evolving nature of cyber threats and the need for constant vigilance to protect against malicious activities. As security researchers continue to monitor and report on emerging threats, it is essential for users to stay informed and follow best practices to mitigate the risks associated with mobile malware. With threat actors constantly refining their tactics, it is crucial for individuals and organizations to remain proactive in safeguarding their digital assets.