The campaign has been ongoing for at least four months and is the latest salvo from the operators of the malware, which first surfaced in 2020 and has previously notched victims in the US, Italy, United Kingdom, France, Germany, and other countries.
Prolific Rate of Infections Researchers from ThreatFabric have been monitoring Anatsa since its initial discovery and spotted the new wave of attacks beginning in November 2023.
In a report this week, the fraud detection vendor described the attacks as unfolding in multiple distinct waves targeting customers of banks in Slovakia, Slovenia, and the Czech Republic.
Android users in the targeted regions have downloaded droppers for the malware from Google's Play store at least 100,000 times since November.
In a previous campaign during the first half of 2023 that ThreatFabric tracked, the threat actors accumulated over 130,000 installations of its weaponized droppers for Anatsa from Google's mobile app store.
ThreatFabric attributed the relatively high infection rates to the muti-stage approach the droppers on Google Play use to deliver Anatsa on Android devices.
When the droppers initially get uploaded to Play, there's nothing about them to suggest malicious behavior.
It's only after they land on Play that the droppers dynamically retrieve code for executing malicious actions from a remote command and control server.
One of the droppers, disguised as a cleaner app, claimed to require permissions to Android's Accessibility Service feature for what appeared to be a legitimate reason.
Roid's Accessibility Service is a special type of feature designed to make it easier for users with disabilities and special needs to interact with Android apps.
Threat actors have frequently exploited the feature to automate payload installation on Android devices and eliminate the need for any user interaction during the process.
The files that the dropper dynamically retrieved from the C2 server included configuration info for a malicious DEX file for distributing Android application code; a DEX file itself with malicious code for payload installation, configuration with a payload URL, and finally code for downloading and installing Anatsa on the device.
The multi-stage, dynamically loaded approach used by the threat actors allowed each of the droppers that they used in the latest campaign to circumvent the tougher AccessibilityService restrictions Google implemented in Android 13, Threat Fabric said.
For the latest campaign, the operator of Anatsa chose to use a total of five droppers disguised as free device-cleaner apps, PDF viewers, and PDF reader apps on Google Play.
Once installed on a system, Anasta can steal credentials and other information that allow the threat actor to take over the device and later log into the user's bank account and steal funds from it.
Like Apple, Google has implemented numerous security mechanisms in recent years to make it harder for threat actors to sneak malicious apps into Android devices via its official mobile app store.
One of the most significant among them is Google Play Protect, a built-in Android feature that scans app installations in real-time for signs of potentially malicious or harmful behavior, then alerts or disables the app if it finds anything suspicious.
Roid's restricted settings feature has also made it much harder for threat actors to try and infect Android devices via sideloaded apps - or apps from unofficial application stores.
Threat actors have managed to continue to sneak malware onto Android devices via Play by abusing features like Android's AccessibilityService, or by using multi-stage infection processes and by using package installers that mimic those on Play store to sideload malicious apps, ThreatFabric said.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 20 Feb 2024 22:55:10 +0000