Anatsa Android Trojan Bypasses Google Play Security, Expands Reach to New Countries

The Android banking trojan known as Anatsa has expanded its focus to include Slovakia, Slovenia, and Czechia as part of a new campaign observed in November 2023.

“Some of the droppers in the campaign successfully exploited the accessibility service, despite Google Play’s enhanced detection and protection mechanisms,” ThreatFabric said in a report shared with The Hacker News.

“All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13.” The campaign, in total, involves five droppers with more than 100,000 total installations.

Also known by the name TeaBot and Toddler, Anatsa is known to be distributed under the guise of seemingly innocuous apps on the Google Play Store. These apps, called droppers, facilitate the installation of the malware by circumventing security measures imposed by Google that seek to grant sensitive permissions.

In June 2023, the Dutch mobile security firm disclosed an Anatsa campaign that targeted banking customers in the U.S., the U.K., Germany, Austria, and Switzerland at least since March 2023 using dropper apps that were collectively downloaded over 30,000 times on the Play Store.

Anatsa comes fitted with capabilities to gain full control over infected devices and execute actions on a victim’s behalf. It can also steal credentials to initiate fraudulent transactions.

The latest iteration observed in November 2023 is no different in that one of the droppers masqueraded as a phone cleaner app named “Phone Cleaner - File Explorer” (package name “com.volabs.androidcleaner”) and leveraged a technique called versioning to introduce its malicious behavior.

While the app is no longer available for download from the official storefront for Android, it can still be downloaded via other sketchy third-party sources.

According to statistics available on app intelligence platform AppBrain, the app is estimated to have been downloaded about 12,000 times during the time it was available on the Google Play Store between November 13 and November 27, when it was unpublished.

“Initially, the app appeared harmless, with no malicious code and its accessibility service not engaging in any harmful activities,” ThreatFabric researchers said.

“However, a week after its release, an update introduced malicious code. This update altered the accessibility service functionality, enabling it to execute malicious actions such as automatically clicking buttons once it received a configuration from the [command-and-control] server.”

What makes the dropper notable is that its abuse of the accessibility service is tailored to Samsung devices, suggesting that it was designed to exclusively target the company-made handsets at some point, although other droppers used in the campaign have been found to be manufacturer agnostic.

The droppers are also capable of circumventing Android 13’s restricted settings by mimicking the process used by marketplaces to install new applications without having their access to the accessibility service functionalities disabled, as previously observed in the case of dropper services like SecuriDropper.

Furthermore, the dropper apps have been observed employing a multi-staged approach to avoid detection, dynamically downloading the configuration and APK payloads from the C2 server, enabling the threat actors to alter the malicious components at will.

“These actors prefer concentrated attacks on specific regions rather than a global spread, periodically shifting their focus,” ThreatFabric said. “This targeted approach enables them to concentrate on a limited number of financial organizations, leading to a high number of fraud cases in a short time.”

The development comes as Fortinet FortiGuard Labs detailed another campaign that distributes the SpyNote remote access trojan by imitating a legitimate Singapore-based cryptocurrency wallet service known as imToken to replace destination wallet addresses and with actor-controlled ones and conduct illicit asset transfers.

“Like much Android malware today, this malware abuses the accessibility API,” security researcher Axelle Apvrille said. “This SpyNote sample uses the Accessibility API to target famous crypto wallets.”

Update

Google shared the following statement with The Hacker News following the publication of the story -

"All of the apps identified in the report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."

The full list of Anatsa droppers that were removed from the Google Play Store are below -

• Phone Cleaner - File Explorer (com.volabs.androidcleaner)
• PDF Viewer - File Explorer (com.xolab.fileexplorer)
• PDF Reader - Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
• Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
• PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)

ThreatFabric told The Hacker News that “PDF Reader: File Manager” had over 10,000 installations at the time of discovery last week, but had skyrocketed to 100,000 installations prior to its removal on February 19, 2024.

(The story was updated after publication to include responses from Google and ThreatFabric)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.