More than 90 malicious apps have infiltrated the Play Store. These Android apps hide several types of malware, starting with the dreaded Anatsa virus. This malware is designed to siphon off the bank account of its victims…
Zscaler’s security researchers have discovered more than 90 malicious Android apps on the Play Store, Google’s store, in the past two months. According to the researchers, the apps were downloaded more than 5.5 million times through Android’s default platform. The report does not provide a list of apps that contain malware.
The umpteenth comeback of the Anatsa malware
In the code of some of these fraudulent apps, experts have identified the presence of a well-known malware: Anatsa, aka Teabot. This banking trojan is programmed to attack more than 650 applications of financial institutions in Europe, the United States, the United Kingdom, and Asia.
Once installed on its victims’ smartphones, the virus “exfiltrates banking credentials and sensitive financial information from financial apps.” With this data, cybercriminals can break into their victims’ accounts and make transfers.
To achieve her goals, Anatsa relies on very classic tactics, such as layering. This strategy involves displaying a fake malicious window on top of a banking or financial app. This window follows the design of the application’s interface to the letter. Victims see nothing but fire and enter their credentials, namely their name and password.
Note that Zscaler has identified a plethora of other malware on Google’s store. The researchers mainly pinpointed Joker, another recalcitrant Trojan, Facestealer, a Facebook ID thief and Coper, a particularly sophisticated Trojan.
How does Anatsa fool the Play Store?
In this case, Anatsa was hidden in two seemingly innocuous applications, namely PDF Reader & File Manager and QR Reader & File Manager. They have been downloaded more than 70,000 times on the Play Store, according to Zscaler’s survey. The researchers point out that “the high number of installs also helps to deceive victims into believing that these apps are genuine.”
To evade Google’s safeguards, cybercriminals avoid placing malicious lines of code in apps before they’re approved. In fact, apps wait until they arrive on their targets’ smartphones to orchestrate their attacks. They start by retrieving instructions from a remote server. Then, they retrieve a malicious file from that server. This is the file that installs the malware’s APK on the phone. As the report explains, “this strategic approach allows the malware to be uploaded to the official Google Play Store and evade detection.”
