A team of researchers have found five Android apps that have been infected with Anatsa malware that is designed to infiltrate computers and mobile devices to steal users’ sensitive financial data. The researchers claim that these apps have been downloaded over 150,000 times.
Researchers at fraud detection company ThreatFabric (via BleepingComputer) noticed an increase of Anatsa activity since November. It said that since Anatsa constantly launches new attack waves using fresh dropper apps, the total number of downloads is expected to increase.
As per the report, the Anatsa banking trojan is currently prevalent in Europe and is infecting Android devices through malware droppers (or apps) hosted on Google Play. Researchers have spotted five campaigns tailored to deliver the malware to users in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic.
How this malware attacks users
The report notes that each attack wave focuses on specific geographic regions and employs apps crafted to reach the “Top New Free” categories on Google Play. This method lends them credibility and increases their success rate.
As per ThreatFabric, the apps now implement a multi-staged infection process and have evolved to abuse Android’s Accessibility Service to bypass security measures in Android 13 and older. The malware operators use both PDF and fake cleaner apps that promise to free up space on the device by deleting unnecessary files.
Google has reportedly removed all Anatsa-infected apps from the official Android store. The five malicious apps are:
Phone Cleaner – File Explorer (com.volabs.androidcleaner)
PDF Viewer – File Explorer (com.xolab.fileexplorer)
PDF Reader – Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)
The company also claimed that the real figure could be closer to 200,000 because they used the lower estimates for the tally.
Researchers at fraud detection company ThreatFabric (via BleepingComputer) noticed an increase of Anatsa activity since November. It said that since Anatsa constantly launches new attack waves using fresh dropper apps, the total number of downloads is expected to increase.
As per the report, the Anatsa banking trojan is currently prevalent in Europe and is infecting Android devices through malware droppers (or apps) hosted on Google Play. Researchers have spotted five campaigns tailored to deliver the malware to users in the UK, Germany, Spain, Slovakia, Slovenia, and the Czech Republic.
How this malware attacks users
The report notes that each attack wave focuses on specific geographic regions and employs apps crafted to reach the “Top New Free” categories on Google Play. This method lends them credibility and increases their success rate.
As per ThreatFabric, the apps now implement a multi-staged infection process and have evolved to abuse Android’s Accessibility Service to bypass security measures in Android 13 and older. The malware operators use both PDF and fake cleaner apps that promise to free up space on the device by deleting unnecessary files.
Google has reportedly removed all Anatsa-infected apps from the official Android store. The five malicious apps are:
Phone Cleaner – File Explorer (com.volabs.androidcleaner)
PDF Viewer – File Explorer (com.xolab.fileexplorer)
PDF Reader – Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)
The company also claimed that the real figure could be closer to 200,000 because they used the lower estimates for the tally.