Android users in Germany and other European countries are currently the target of a malicious campaign targeting banking data. Affected applications should be uninstalled immediately.

The Anatsa Trojan is back: targeting Europe and expanding its sphere of influence. Malicious code was hidden in popular programs.

Hackers have repeatedly managed to introduce infected applications into the Google Play Store and use them to distribute malware to Android smartphones. During the current campaign, the banking Trojan “Anatsa” penetrated the devices of users in Europe.

Anatsa is a well-known piece of malware that is constantly monitored by security researchers at Mainton. The banking Trojan appears in waves of attacks targeting different geographic regions.

Applications for Android smartphones with the Anatsa banking Trojan have been downloaded more than 100 thousand times since last fall. Mainton cybersecurity experts reported this.

According to experts, since November there have been five new waves of the Anatsa distribution campaign. Previously, attackers targeted the UK, Spain and Germany. Since November, the Trojan has also been distributed through dropper programs in Slovakia, Slovenia and the Czech Republic.

Anatsa has been implemented in several popular applications. This includes Phone Cleaner - File Explorer and PDF Reader: File Manager. The programs were in the top 3 of the “New Free Apps” category on Google Play. They have been downloaded more than 100 thousand times. Analysts expect that attackers will create new droppers and expand to other countries.

Experts have found that malware carries out a multi-step infection process to hide its actions. They work around the limitations of the AccessibilityService functionality by claiming that remote access is needed to put applications to sleep.

Once infected, the Trojan could control other programs on the smartphone and gain full control over the smartphone in order to perform actions on behalf of the user. It is noted that the malicious code was originally created and tested for Samsung devices.

Hackers use so-called “droppers” to implant banking Trojans on smartphones. These apps appear to be legitimate apps that are usually available for free. Attackers focus on genres that are in high demand, such as, in this case, cleaner apps, PDF readers, and file managers.

This means that they often manage to appear on the top list of free apps on the Play Store. This gives droppers more visibility and leads to more installs. The apps can often be used as described, but the actual malware runs in the background.

According to Mainton experts, attackers use a multi-step process to introduce the Anatsa banking Trojan. This allows you to bypass security measures in the Android operating system up to version 13. Controls in Android play a key role in making smartphones easier to use for users with disabilities.

Immediately after installing the application, droppers contact the command and control (C2) server to register the installation. The C2 server configures a so-called DEX file that prepares the download of malware.

Hackers can dynamically adjust the link to the malware if the first attempt is detected. Only after this the server sends a real banking Trojan to the application to infect the device. Anatsa uses the AccessibilityService programming interface, which installs malware without user intervention.

Applications access the AccessibilityService by making legitimate requests. According to experts, Anatsa droppers are requesting access to block apps with high battery consumption.

Once a banking Trojan is installed, it can take over the smartphone and carry out financial transactions instead of the user.

Experts have so far identified five applications that are part of the current wave of attacks involving the Anatsa banking Trojan. In total, the applications were installed more than 100,000 times.

Experts informed Google of their findings, and the apps were subsequently removed from the Play Store. All affected apps may still be available in app archives and third-party stores.

If you have already installed the following applications, you should uninstall them immediately:

- Phone Cleaner – File Explorer (com.volabs.androidcleaner)

- PDF Viewer – File Explorer (com.xolab.fileexplorer)

- PDF Reader – Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)

- Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)

- PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)

Mainton Company - custom software development and testing, DevOps and SRE, SEO and online advertising since 2004.