Anatsa Banking Trojan Targets European Smartphones: Over 150,000 Infected

Anatsa Banking Trojan Targeting European Smartphones

European smartphone users should be cautious as a banking trojan called Anatsa has recently been detected, according to researchers from ThreatFabric.^[1] This recent Anatsa campaign specifically focuses on the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic. 

The Anatsa trojan has already infected a minimum of 150,000 smartphones, with estimations suggesting the actual number of affected devices could be as high as 200,000. 

The hackers behind the malware droppers, which are apps designed to distribute malware, have devised a clever technique for enabling the delivery of their malicious software. 

By attaching their malicious code to apps appearing amongst the top three positions of the “Top New Free” categories on the Play Store, the hackers aim to entice more users to download their infected apps. The larger the number of victims who install these apps, the higher the proliferation of the malware. 

How Does Anatsa Operate?

Once an Anatsa app is installed on a smartphone, it exploits Android’s Accessibility Service feature. While this feature, designed to enhance phone accessibility, has faced previous abuse from various types of malware, cybercriminals have continued to find ways to take advantage of it. In this specific campaign, the Anatsa apps are camouflaged as “hibernate battery-draining apps,” tricking users into granting Accessibility Service permissions.^[2] 

Once Accessibility Service is enabled for the app, it downloads specific components of the malicious code spectacles instead of the entire code at once. This strategy helps the malware stay under the radar, as pulling the entire code at once could trigger Android’s termination process. The app then downloads additional files containing the link and the actual malware, which is subsequently launched on the device. 

Anatsa is classified as a banking trojan, and its primary purpose is to collect sensitive banking information, including login credentials. The stolen data is then exploited to siphon money or carry out identity theft, making it a particularly menacing form of malware. 

Apps Containing the Anatsa Malware

The report highlights five apps that were responsible for the majority of Anatsa malware downloads in Europe:^[3]

1. Phone Cleaner – File Explorer
2. PDF Viewer – File Explorer
3. PDF Reader – Viewer & Editor
4. Phone Cleaner: File Explorer
5. PDF Reader: File Manager

It is important to mention that while these apps were available on the Play Store and were responsible for the initial wave of infections, they have since been removed by Google. However, if any of these applications still exist on your device, it is crucial to delete them immediately, even if you are not located in the targeted countries. 

Protecting Yourself from Malware Droppers

To defend against malware droppers, it is advised to adopt the following best practices:^[4]

1. Be cautious of apps claiming to enhance phone performance or quality unless they are from a reputable source with a loyal following. Malicious actors often mimic such apps to deceive potential victims. 
2. Review the Play Store page of the app carefully before downloading. Pay attention to the app’s description, ensuring it is well-written and free of any glaring spelling or grammar errors. Additionally, examine the quality of the app’s images to ensure that they accurately represent its advertised purpose. 
3. Scroll through the app’s reviews, giving particular attention to recent and critical reviews. Users who have fallen victim to malware may provide warnings in the form of reviews, even explicitly mentioning the presence of malware. If the reviews seem suspicious or relate to an entirely different app, it is recommended to avoid downloading the app altogether. 

It is important to exercise increased vigilance while downloading apps and to maintain up-to-date security measures and cybersecurity practices, thereby ensuring the safety of your personal data and devices.

^[1] Bleeping Computer: “Anatsa Android Malware Downloaded 150,000 Times via Google Play”

^[2] ThreatFabric: “Anatsa Trojan Returns Targeting Europe and Expanding Its Reach”

^[3] Latest Research Report

^[4] App Security Best Practices