Skip to content Skip to footer

Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries

In November 2023, a banking trojan for devices called Anatsa launched a new campaign that targeted users in Slovakia, Slovenia, and Czechia. Security firm ThreatFabric recently shared a report with The Hacker News stating that some of the droppers used in the campaign successfully exploited the accessibility service, despite Google Play's enhanced detection and protection mechanisms. All droppers in this campaign have the ability to bypass the restricted settings for accessibility service in 13. The campaign involves five droppers with over 100,000 total installations.

Anatsa, also known as TeaBot and Toddler, is distributed under the guise of seemingly innocuous on the Google Play Store. These apps, called droppers, help in the installation of the malware by circumventing security measures imposed by Google that seek to grant sensitive permissions. Anatsa has the capability to gain full control over infected devices and execute actions on a victim's behalf, as well as stealing credentials to initiate fraudulent transactions.

The latest iteration of Anatsa observed in November 2023 is no different in that one of the droppers disguised itself as a phone cleaner named “Phone Cleaner – File Explorer” (package name “com.volabs.androidcleaner”) and leveraged a technique called versioning to introduce its malicious behavior. Despite no longer being available for download from the official storefront for , the can still be downloaded via other sketchy third-party sources. According to statistics available on intelligence platform AppBrain, the was downloaded around 12,000 times during the time it was available on the Google Play Store between November 13 and November 27 when it was unpublished.

Researchers at ThreatFabric said, “Initially, the appeared harmless, with no malicious code and its accessibility service not engaging in any harmful activities. However, a week after its release, an update introduced malicious code. This update altered the AccessibilityService functionality, enabling it to execute malicious actions such as automatically clicking buttons once it received a configuration from the [command-and-control] server.”

The dropper is notable because its abuse of the accessibility service is tailored to Samsung devices, which suggests that it was designed to exclusively target the company-made handsets at some point, although other droppers used in the campaign have been found to be manufacturer agnostic. The droppers can also circumvent 13's restricted settings by mimicking the process used by marketplaces to install new applications without having their access to the accessibility service functionalities disabled, as previously observed in the case of dropper services like SecuriDropper.

ThreatFabric stated that the attackers prefer concentrated attacks on specific regions rather than a global spread, periodically shifting their focus. This targeted approach enables them to concentrate on a limited number of financial organizations, leading to a high number of fraud cases in a short time.

Want to read more? Check out the original article available at The Hacker News!

Read More

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Kid, don't threaten me. There are worse things than death, and uh, I can do all of them.The Plague

Deitasoft © 2024. All Rights Reserved.