90+ Android Apps With Banking Malware Found On Play Store With 5.5M Installs

Security researchers at Zscaler ThreatLabz have identified and analyzed more than 90 Android malicious apps, which have been downloaded over 5.5 million times from the Google Play Store in the past few months.

These malicious apps deliver malware and adware, including the Anatsa banking Trojan, which has seen a recent surge in activity.

According to the cloud security firm, Anatsa (aka “Teabot”) is a known Android banking malware that was being distributed on the Google Play Store through two fake apps: a PDF reader app called ‘PDF Reader & File Manager’ and a QR code reader app called ‘QR Reader & File Manager.’ At the time of Zscaler’s analysis, these two apps had already accumulated 70,000 installations.

Anatsa banking malware uses a dropper technique, where the initial application appears clean to users upon installation.

It utilizes remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activity.

Once installed, it uses a range of ambiguous tactics to exfiltrate sensitive banking credentials and financial information from global financial applications.

“It achieves this through the use of overlay and accessibility techniques, allowing it to intercept and collect data discreetly,” Zscaler’s Himanshu Sharma and Gajanana Khond wrote in the blog post.

To achieve this, Anatsa malware utilizes reflection to invoke code from a loaded Dalvik Executable (DEX) file, which contains code that is eventually executed by the Android Runtime.

After the next stage payload is downloaded, Anatsa carries out a series of checks for the device environment and device type to find analysis environments and malware sandboxes.

Upon successful verification, it proceeds to download the third stage and final payload from the remote server.

The Anatsa malware injects uncompressed raw manifest data into the APK and corrupts the compression parameters in the manifest file to hinder analysis.

After the APK is loaded, the malware requests various permissions, including the SMS and accessibility options, and conceals the final DEX payload within the asset files.

Further, the payload decrypts the DEX file during runtime using a static key embedded within the code.

Once the malware successfully infects the device, it begins communication with the C2 server and scans the victim’s device to check if any banking apps are installed.

If any target app is found, the malware communicates this information to the C2 server.

In response, the C2 server provides a fake login page for the banking app.

If the victim is deceived by the fake login page and enters their banking credentials, the information is sent back to the C2 server, which hackers can use to log in to their banking apps and steal their money.

The threat actors behind Anatsa exfiltrated data by targeting applications from over 650+ financial institutions, primarily in Europe. However, Zscaler reports that the malware is also “actively targeting” banking apps in the US and UK, with threat actors expanding their targets to include banking apps in Germany, Spain, Finland, South Korea, and Singapore.

“The recent campaigns conducted by threat actors deploying the Anatsa banking trojan highlight the risks faced by Android users, in multiple geographic regions, who downloaded these malicious applications from the Google Play store,” the researchers concluded.

While Zscaler did not disclose the identities of the 90+ apps infected with malware, the two Anatsa dropper apps Android apps have been removed from the Google Play Store.

Meanwhile, if you have downloaded any of the dropper apps, it is recommended to delete them from your Android device immediately.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post