Anatsa Android Trojan bypasses Google Play security and expands reach to new countries

Anatsa Android Trojan

The Android banking trojan known as He turned it on has expanded its focus to Slovakia, Slovenia and the Czech Republic as part of a new campaign observed in November 2023.

“Some droppers in the campaign successfully abused the accessibility service, despite Google Play’s improved detection and protection mechanisms,” ThreatFabric said said in a report shared with The Hacker News.

“All droppers in this campaign have demonstrated the ability to bypass the restricted settings for the Accessibility Service in Android 13.” The campaign involves a total of five droppers with a total of over 100,000 installs.

Anatsa, also known as TeaBot and Toddler, is known for being distributed under the guise of seemingly harmless apps on the Google Play Store. These apps, called droppers, facilitate installation of the malware by bypassing security measures imposed by Google that seek to grant sensitive permissions.

In June 2023, the Dutch mobile security company announced an Anatsa campaign that has been targeting banking customers in the US, UK, Germany, Austria and Switzerland since at least March 2023, using dropper apps that have been collectively viewed more than 30,000 times. downloaded from the Play Store.


Anatsa is equipped with capabilities to take full control over infected devices and perform actions on behalf of the victim. It can also steal login credentials to initiate fraudulent transactions.

The latest iteration spotted in November 2023 is no different, in that one of the droppers masqueraded as a phone cleaning app called “Phone Cleaner – File Explorer” (package name “com.volabs.androidcleaner”) and used a technique called versioning to control its malicious behavior.

Although the app is no longer available for download from the official storefront for Android, it can still be downloaded from other sketchy third-party sources.

According to statistics The app is available on the app intelligence platform AppBrain and is estimated to have been downloaded approximately 12,000 times during the time it was available on the Google Play Store between November 13 and 27, when publication had not yet been completed.

He activated the Android Trojan

“Initially, the app appeared harmless, with no malicious code, and the accessibility service did not engage in any malicious activity,” ThreatFabric researchers said.

However, a week after release, an update introduced malicious code. This update changed the AccessibilityService functionality, allowing it to perform malicious actions such as automatically clicking buttons once it received a configuration from the [command-and-control] server.”

What makes the dropper notable is that the accessibility service abuse is tailored to Samsung devices, suggesting that it was once designed to exclusively target handsets made by the company, although other droppers used in the campaign appear to be manufacturer independent. .

The droppers are also able to bypass Android 13’s restricted settings by mimicking the process used by marketplaces to install new applications without having their access to the accessibility service functionalities disabled, as previously observed in the case of dropper services such as SecuriDropper.


“These actors prefer concentrated attacks on specific regions over global spread, periodically shifting their focus,” ThreatFabric said. “This targeted approach allows them to concentrate on a limited number of financial organizations, which leads to a large number of fraud cases in a short time.”

The development comes as Fortinet FortiGuard Labs has crafted another campaign that distributes the SpyNote remote access trojan by impersonating a legitimate Singapore-based cryptocurrency wallet service known as imToken to replace destination wallet addresses and substitute actor-controlled addresses and illegal carry out asset transfers.

“Like many current Android malware, this malware abuses the accessibility API,” says security researcher Axelle Apvrille said. “This SpyNote example uses the Accessibility API to target famous crypto wallets.”

#Anatsa #Android #Trojan #bypasses #Google #Play #security #expands #reach #countries

Notify of
Inline Feedbacks
View all comments
Previous Post
Network Detection and Response (NDR)

How to Achieve the Best Risk-Based Alerts (Bye-Bye SIEM)

Next Post
Roundcube Flaws

Russia-linked hackers breached more than 80 organizations via Roundcube flaws

Related Posts