Apps that steal bank info among 90+ malicious downloads in Google Play store: study
What specific examples of malicious apps did Zscaler release details about, and how many installations did these apps have?
Zscaler released details about two malicious apps: PDF Reader & File Manager and QR Reader & File Manager2. These apps had over 70,000 installations combined.
Can you describe the Anatsa malware and explain how it accesses users' banking information?
Anatsa malware, also known as TeaBot, is a sophisticated Android banking malware that targets applications from over 650+ financial institutions, primarily in Europe, the US, and the UK. It employs dropper applications that appear benign to users, deceiving them into unwittingly installing the malicious payload. Once installed, Anatsa exfiltrates sensitive banking credentials and financial information from global financial applications.
The malware is distributed via the Google Play store, disguised as innocuous applications such as PDF readers and QR code readers. After installation, the malware proceeds to download malicious code or a staged payload from a command-and-control (C2) server, disguised as an innocuous application update. This strategic approach enables the malware to be uploaded to the official Google Play Store and evade detection.
Anatsa uses various techniques to steal data from financial applications. It downloads a target list of financial application package names and scans the victim's device to check if any of these targeted applications are installed. Once the malware identifies the presence of a targeted application, it communicates this information to the C2 server. In response, the C2 server provides a fake login page for the banking application, which is loaded within a JavaScript Interface (JSI) enabled webview, designed to deceive the user into providing their banking credentials. Once the victim enters their credentials, that data is sent back to the C2 server.
The malware also performs a series of checks for the device environment and device type, likely designed to detect analysis environments and malware sandboxes. Upon successful verification, it proceeds to download the third stage and final payload from the remote server.
Anatsa has been observed to be part of a malvertising campaign that leads prospective victims to download Anatsa dropper apps from Google Play. The malicious apps continue to belong to the office/productivity category, posing as PDF viewer and editor apps and office suites.
Which types of apps did the Anatsa malware typically impersonate, and why were these particular types targeted?
The Anatsa malware typically impersonated practical tools such as PDF or QR code readers. These types of apps were targeted because they are popular and commonly used, making it easier for the malicious apps to blend in with the Google Play store. By impersonating these types of apps, the malware was able to attract a large number of installations and deceive victims into believing that the applications were genuine.