Banking Trojan “Anatsa” Continues to Plague Google Play, Reaching 50,000 Users in Latest Campaign
San Francisco, CA – June 13, 2024 – A persistent Android banking trojan known as Anatsa has once again infiltrated the Google Play Store, impacting approximately 50,000 users in the United States with malicious applications, security researchers at Zscaler have revealed. This latest wave of infections is part of a broader trend of malicious and adware apps exploiting the platform, with a total of 77 identified apps racking up a combined 19 million downloads.
The Anatsa trojan is designed to steal banking credentials and other sensitive information from infected devices. This recent campaign marks at least the fourth significant Anatsa-related incident on Google Play in the past year, demonstrating the malware’s adaptability and the ongoing challenges in securing the Android ecosystem.Zscaler’s ThreatLabz team discovered the recent Anatsa-infected apps alongside a surge in adware, and also other malware families including “Joker,” “Harly,” and various “maskware” applications - apps that disguise their true functionality. Notably, the researchers observed a decline in the prevalence of malware families like facestealer and Coper.
“ThreatLabz identified a sharp rise in adware applications on the Google Play Store alongside malware, such as Joker, Harly, and banking trojans like Anatsa,” explained Zscaler researcher himanshu Sharma. “Conversely, there has been a noticeable decline in malware families such as Facestealer and Coper.”
A History of Exploitation:
Anatsa has repeatedly bypassed Google Play’s security measures through various tactics. Previous campaigns include:
May 2024: A PDF and QR Code Reader attack resulting in approximately 70,000 infections. February 2024: A Phone Cleaner and PDF attack leading to 150,000 downloads.
March 2023: A PDF Viewer attack achieving 30,000 installs, initially targeting users in the US and UK with banking information theft.
The malware typically disguises itself within seemingly legitimate applications, frequently enough utilizing tools and personalization apps as a primary delivery method. Zscaler’s analysis indicates that the tools and personalization categories, alongside entertainment, photography, and design apps, represent the highest risk areas for potential malware infection.
Google’s Response & User Protection:
Following Zscaler’s report, Google has removed all identified malicious applications from the Play Store.However,the researchers emphasize the importance of proactive user protection.
Android users are strongly advised to ensure that Google Play Protect, the built-in malware scanner, is enabled on their devices. In the event of a suspected Anatsa infection,users should also immediately contact their bank to secure possibly compromised e-banking accounts and credentials.
mitigating the Risk:
Security experts recommend the following precautions to minimize the risk of downloading malicious apps from Google Play:
Trust Reputable Publishers: Prioritize apps from well-known and established developers.
Review User feedback: Read multiple user reviews before downloading any submission.
Limit Permissions: Carefully review the permissions requested by an app and only grant access that is directly relevant to its core functionality. Be wary of apps requesting excessive or unnecessary permissions.The ongoing presence of Anatsa and other malware on Google Play underscores the constant arms race between security researchers and malicious actors,and the need for both platform providers and users to remain vigilant.
