Malicious Document Reader App on Google Play Infects 50,000 Users with Anatsa Banking Trojan
A deceptive Android application, masquerading as a document reader and file manager, has been identified on the Google Play Store, infecting over 50,000 users with the Anatsa banking trojan. This discovery underscores the persistent challenges in securing official app stores against sophisticated malware threats.
Discovery and Impact
Cybersecurity firm Zscaler ThreatLabz uncovered the malicious app named Document Reader – File Manager, developed by ISTOQMAH. Despite its seemingly legitimate functionality, the app covertly installs the Anatsa malware, compromising users’ financial data. This incident highlights the ongoing struggle to maintain the integrity of app stores against advanced malware campaigns.
Understanding Anatsa
Anatsa, also known as TeaBot, first emerged in 2020 as an Android banking malware. It specializes in credential theft, keylogging, and executing fraudulent transactions targeting financial applications. Recent variants have expanded their reach to over 831 financial institutions worldwide, including regions like Germany and South Korea, as well as cryptocurrency platforms.
Advanced Evasion Techniques
The Anatsa trojan employs sophisticated evasion tactics to avoid detection:
– Runtime DES Decryption: Decrypts strings during runtime to obscure malicious code.
– Device Model Checks: Identifies and avoids execution on emulator environments to evade analysis.
– Malformed ZIP Archives: Conceals DEX payloads within corrupted ZIP files to bypass static analysis tools.
Infection Mechanism
The malicious app presents itself as a versatile tool for opening PDFs, scanning documents, and managing files, complete with an intuitive interface. Upon installation, it silently retrieves the Anatsa payload, disguised as an update, from a command-and-control server, effectively bypassing Google Play Store’s security measures. If the app’s checks fail, it displays a fake file manager interface to maintain its cover.
Exploitation of Accessibility Permissions
Once activated, Anatsa requests accessibility permissions to automatically grant itself dangerous privileges, including:
– SYSTEM_ALERT_WINDOW: Allows the app to overlay other applications, facilitating phishing attacks.
– READ_SMS: Enables access to SMS messages, potentially intercepting two-factor authentication codes.
– Full-Screen Intents: Permits the app to display content over other apps, enhancing its phishing capabilities.
By leveraging these permissions, Anatsa overlays phishing pages tailored to detected banking applications, tricking users into entering their credentials.
Indicators of Compromise (IOCs)
ThreatLabz has provided specific indicators to aid in the detection of this Anatsa variant:
– Package Name: com.quantumrealm.nexdev.quarkfilerealm_filedoctool
– Installer MD5: 98af36a2ef0b8f87076d1ff2f7dc9585
– Payload MD5: da5e24b1a97faeacf7fb97dbb3a585af
– Download URL: https://quantumfilebreak[.]com/txt.txt
– Command-and-Control Servers:
– http://185.215.113[.]108:85/api/
– http://193.24.123[.]18:85/api/
– http://162.252.173[.]37:85/api/
Broader Implications
This incident is part of a larger trend where malicious actors exploit productivity apps to distribute malware. ThreatLabz reported 77 similar malicious apps, totaling 19 million installs, recently removed from Google Play. Anatsa campaigns frequently utilize utility tools like document viewers to exploit user trust.
User Risks and Recommendations
Users are at risk of having their banking credentials stolen through fake login overlays or automated fraudulent transactions. This threat is particularly concerning in North America, where previous strains of Anatsa ranked high in the Free Tools sections of app stores.
To mitigate these risks, users should:
– Scrutinize App Permissions: Carefully review the permissions requested by apps before granting access.
– Avoid Unsolicited Updates: Be cautious of apps prompting for updates outside of official channels.
– Utilize Antivirus Scanners: Employ reputable security software to detect and prevent malware infections.
Security Measures and Industry Response
Google has enhanced its Play Protect features to detect and remove malicious apps more effectively. However, timely reports from cybersecurity researchers remain crucial in identifying and mitigating new threats.
Conclusion
The discovery of the Document Reader – File Manager app distributing the Anatsa banking trojan highlights the evolving tactics of cybercriminals and the importance of vigilance among users and developers. By staying informed and adopting proactive security measures, individuals can better protect themselves against such sophisticated threats.
