The Anatsa banking trojan has sneaked into Google Play once more via an app posing as a PDF viewer that counted more than 50,000 downloads.
The malware becomes active on the device immediately after installing the app, tracking users launching North American banking apps and serving them an overlay that allows accessing the account, keylogging, or automating transactions.
According to Threat Fabric researchers who spotted the latest campaign and reported it to Google, Anatsa shows users a fake message when they open the targeted apps, informing of a scheduled banking system maintenance.
The notification is displayed on top of the banking app’s UI, obscuring the malware’s activity in the background and preventing victims from contacting their bank or checking their accounts for unauthorized transactions.
Threat Fabric has been tracking Anatsa on Google Play for years, uncovering multiple infiltrations under fake or trojanized utility and productivity tools.
A campaign uncovered in November 2021 achieved 300,000 downloads, another exposed in June 2023 had 30,000 downloads, and another one disclosed in February 2024 reached 150,000 downloads.
In May 2024, mobile security firm Zscaler reported that Anatsa had achieved yet another infiltration on Android’s official app store, with two apps posing as a PDF reader and a QR reader, collectively amassing 70,000 downloads.
The Anatsa app that Threat Fabric discovered on Google Play this time is ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing.’
App on Google Play that delivered Anatsa to its users
Source: ThreatFabric
... continue reading