The Anatsa Android banking trojan has expanded its target list and now has over 830 financial applications in its crosshairs, cybersecurity firm Zscaler warns.
Active since 2020, Anatsa allows its operators to take over infected devices and perform fraudulent transactions and other various actions on behalf of their victims.
Last year, the trojan was seen targeting over 600 financial applications, after expanding to several European countries.
Now, it is also going after mobile users in Germany and South Korea, and is targeting over 150 new banking and cryptocurrency applications, Zscaler reports.
The malware was seen being distributed through decoy applications available through the official Google Play store, some of which have amassed over 50,000 downloads.
After installation, the decoy applications connect to the trojan’s command-and-control (C&C) server to silently fetch a malicious payload posing as an update.
The applications include several anti-analysis and anti-detection techniques, decrypting strings at runtime using a dynamically generated Data Encryption Standard (DES) key, performing emulation and device model checks, and periodically changing the package name and installation hash.
Once up and running on a device, Anatsa requests accessibility permissions, and automatically enables all permissions in its manifest file, which allows it to display overlays on top of applications, tamper with notifications, and receive and read SMS messages.
The malware can receive commands from its C&C server, and displays fake banking login pages to steal credentials. The pages for some of the targeted applications are currently incomplete, Zscaler says.
The security firm says it identified and reported to Google 77 nefarious applications that distributed Anatsa and other malware families and which had over 19 million collective downloads. Most of these applications distributed adware (66.4%), and the Joker malware (24.7%).
“Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection. […] Android users should always verify the permissions that applications request, and ensure that they align with the intended functionality of the application,” Zscaler notes.
All the malicious applications found and reported by Zscaler have been removed from Google Play, a Google spokesperson told SecurityWeek.
“Protection against these malware versions was already in place through Google Play Protect prior to this report. Based on our current detection, no apps containing these versions of this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services,” the spokesperson said.
*Updated with statement from Google.
Related: Godfather Android Trojan Creates Sandbox on Infected Devices
Related: ‘Crocodilus’ Android Banking Trojan Allows Device Takeover, Data Theft
Related: Coyote Banking Trojan First to Abuse Microsoft UIA
Related: Google Says Android pKVM Earns Highest Level of Security Assurance
