Anatsa banking Trojan reappeared through apps on Google Play

The resurgence of the Anatsa banking Trojan has sparked concerns among cybersecurity experts as it targets European financial institutions, posing a significant threat to mobile banking security. Over the past four months, the Anatsa campaign has exhibited a dynamic evolution, with five distinct waves targeting specific regions, including Slovakia, Slovenia, and Czechia, in addition to previous targets like the UK, Germany, and Spain.

Fraud detection company ThreatFabric detected a resurgence of the Anatsa banking Trojan in November 2023

The latest iteration of the Anatsa campaign, detected by ThreatFabric, demonstrates a sophisticated modus operandi. It employed multiple tactics to infiltrate mobile devices and execute malicious activities. Despite enhanced detection and protection mechanisms on Google Play, Anatsa droppers have successfully exploited AccessibilityService. It enabled them to automate the installation of payloads.

One notable aspect of the recent Anatsa campaign is the use of manufacturer-specific code targeting Samsung devices. This tailored approach suggests a strategic adaptation by threat actors to maximize the impact of their malware. While the campaign directly impacted Samsung users in this phase, the threat of similar tactics targeting other device manufacturers remains a concern.

Anatsa campaign has effectively bypassed AccessibilityService restrictions imposed by Android 13

Furthermore, the Anatsa campaign has effectively bypassed restrictions imposed by Android 13, enabling droppers to install payloads while evading detection. This technique, coupled with dynamically loaded DEX files, enhances the malware’s stealth capabilities. It poses challenges for security engines and increases the risk of successful infections.

The potential for device takeover by a malicious program poses a severe threat, with each installation increasing the risk of fraudulent activity and unauthorized access to sensitive information.

Beeping Computer has noted five applications that are linked to the Anatsa campaign. These include Phone Cleaner – File Explorer (com.volabs.androidcleaner), PDF Viewer – File Explorer (com.xolab.fileexplorer), PDF Reader – Viewer & Editor (com.jumbodub.fileexplorerpdfviewer), Phone Cleaner: File Explorer (com.appiclouds.phonecleaner), and PDF Reader: File Manager (com.tragisoap.fileandpdfmanager).

Google has responded to the matter

A Google spokesperson has informed BeepingComputer that Google Play has removed all of the five apps associated with this campaign. He added that Google Play Protect already protects Android devices against known versions of this malware. This is on by default on Android devices with Google Play Services.