Malware alert on Android smartphone concept

A recent Anatsa banking Trojan campaign is targeting European countries with fake apps on Google Play, and it abuses Android’s AccessibilityService to escape detection.

Spotted by fraud detection service ThreatFabric in November 2023, the latest Anatsa campaign has expanded its reach to more European countries, from the UK, Germany, and Spain to Slovakia, Slovenia, and Czechia.

The banking Android malware is designed to steal banking credentials, credit card details, PINs, and other sensitive data via keylogging and overlay attacks on Android phones by disguising them as fake utility apps.

These apps on Android include fake PDF readers and storage cleaners. By employing dropper apps, they aim to reach the “Top New Free” category on the Google Play Store to make the apps seem legit. According to the report, total downloads exceeded 150,000.

“Our analysis reveals that Anatsa’s activity can be classified as ‘targeted,’ with threat actors focusing on 3-5 regions at a time while promoting dropper applications on Google Play in these specific areas,” ThreatFabric reports. “These applications often reach the Top-3 in the ‘Top New Free’ category, enhancing their credibility and lowering the guard of potential victims while increasing the chances of successful infiltration.

Phone Cleaner Anatsa Android Malware app via ThreatFabric
Phone Cleaner Anatsa Android Malware app via ThreatFabric

Currently, Google has removed the Anatsa dropper apps from Google Play. However, apps including “Phone Cleaner – File Explorer” and “PDF Reader: File Manager” reached 10,000 and 100,000 downloads, respectively. The following apps were used in the banking Trojan campaign:

  • Phone Cleaner – File Explorer 
  • PDF Viewer – File Explorer 
  • PDF Reader – Viewer & Editor 
  • Phone Cleaner: File Explorer 
  • PDF Reader: File Manager 

These types of apps are commonly used to hide malware, as they are popular tools for Android users. However, despite “Google Play’s enhanced detection and protection mechanisms,” the Anatsa campaign avoided detection by exploiting Android’s AccessibilityService in Android 13.

By exploiting this feature, which assists users with disabilities in using Android devices and apps, malicious apps could automate the installation of payloads, allowing them to install without user interaction.

Threat actors have abused this method to get dropper apps on Google Play. However, despite new, strict regulations from Google Play requiring additional approval, Anatsa dropper apps slipped through the cracks.

For example, a dropper app with Anatsa malware was first identified in November 2023, claiming to use the AccessibilityService to “hibernate draining apps.”

As ThreatFabric reports, “Initially, the app appeared harmless, with no malicious code and its AccessibilityService not engaging in any harmful activities. However, a week after its release, an update introduced malicious code. This update altered the AccessibilityService functionality, enabling it to execute malicious actions such as automatically clicking buttons once it received a configuration from the C2 server.

How to avoid Anatsa banking malware

Cybercriminals mainly use utility apps on Android to distribute malware, including PDF readers, storage cleaners, performance enhancers, and messaging services. Many are on the Google Play Store, and new ones may even appear as the most popular to download.

They appear as legitimate apps, but there’s a risk they may hide malware or be updated with malicious code. It’s important to check the companies behind these apps and review ratings. If they don’t come from an established company and have many 1-star reviews stating it’s a scam, then it likely is.

Here are a few other tips to stay safe:

  • Only download apps from official app stores and reputable sources.
  •  Be cautious of apps requesting excessive permissions, especially AccessibilityService.
  •  Keep your device and apps updated with the latest security patches.
  •  Use strong and unique passwords for all your financial accounts.
  •  Enable two-factor authentication whenever possible.

For an extra layer of protection, using one of the best antivirus software, such as Norton 360, will help identify and remove any malicious malware that makes it onto your smartphone. You can also try using free tools such as NordVPN’s Link Checker and Norton Genie, an AI-driven scam detector.

Darragh Murphy
Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from the mischievous world of online security to washing machines designed for earbuds. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for laptops into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. When he's not checking out the latest devices and all things tech, he can be found swimming laps, watching terrible shark movies, and trying to find time to game.  Previous Editor at Laptop Mag and News Editor at Time Out Dubai, specialising in food culture, nightlife events, gaming, tech and entertainment.


Please enter your comment!
Please enter your name here