Consider following on social media!
Quick note: if you’re viewing this via email, come to the site for better viewing. Enjoy!
Z-Daddy: Inflation. Politics and inflation will cause that.
Photo by Andrea Piacquadio, please support by following @pexel.com
You know, it seems like everyone wants to be like Capital One and find out what’s in your wallet, and with the recent threat on the Google Play Store, they may have found just that.
Trojans are clearly not a new problem seeing as though they’ve been around since it seemed like stuffing a wooden horse full of sweaty men ready to murder was a good idea, but as of late they have been on the rise, and this is especially when it comes to applications for Android devices. Yes, Android community, again in danger you are.
In an effort to sort this banking madness out, we’re going to look at what kind of attack this is, who used it, its functions and effects upon release, and what are some ways you can protect your bank account from decreasing due to the threat actor inflation.
Photo by Pixabay, please support by following @pexel.com
The Attack
The Google Play Store is getting hit with banking trojans but the latest one is racking up some numbers under its belt. Banking trojans for those who may not be familiar are malware that tries to steal your credentials to gain access to your financial institution.
This one has been around since 2021 and has gone by other names such as TeaBot and Toddler but its current name is Anatsa. What makes Anatsa interesting is that it was spotted hiding among utility apps like PDF (Portable Document Format) readers and QR (Quick Response) code scanners.
The use of these allows for credentials to be siphoned from its users. Anatsa is proving to be a large threat by targeting over 400 financial institutions across the world, making it the most prolific banking malware to date.
Photo by Connor Danylenko, please support by following @pexel.com
Who Can It Be Now
As with all good threat actors who use malicious software and evade detection, no one person or group has been appointed for using the Anatsa malware.
But it has been noted that threat actors are hiding the malware among applications for people to download in hopes of collecting their information.
This was pointed out by ThreatFabric which is a firm that provides expertise and security tools to mitigate fraud to banks.
Enjoy the read so far? Why don’t you consider subscribing so you can keep up to date?
Photo by Wilson Vitorino, please support by following @pexel.com
The Sinking Feeling
Anatsa can perform overlay attacks—this is the act of having what looks like a legitimate window (i.e., a fake Google webpage) when really it is tricking the user to give sensitive information, stealing credentials as well as logging activities, it does this by abusing the permissions to Android’s accessibility services API (Application programming interfaces).
In the latest activity, it has seen the dropper apps (trojan apps) after being installed, perform a pull request from GitHub page that is pointing to another GitHub URL (Uniform Resource Locator) housing the malicious payload. This aims to trick the victim by posing itself as application add-ons.
This is thought to be done by using sketchy advertisements. Another thing that the droppers make use of is the restricted “REQUEST_INSTALL_PACKAGES” permission. This is commonly exploited by most rogue apps hosted on the Google Play Store.
If you find you have any of the apps listed below, then you may have been infected.
- All Document Reader & Editor (com.mikjaki.documentspdfreader.xlsx.csv.ppt.docs)
- All Document Reader and Viewer (com.muchlensoka.pdfcreator)
- PDF Reader – Edit & View PDF (lsstudio.pdfreder.powerfultool.allinonepdf.goodpdftools)
- PDF Reader & Editor (com.proderstarler.pdfsignature) / (moh.filemanagerrespdf)
These five apps have been updated since the first publication, this is most likely in a sneaky attempt to cargo the malicious functionality after passing the app review process during the first submission.
Google Play Store dropper apps have grossed over 30,000 installations to date which indicates there is an official storefront app for distribution of Anatsa. There is a list of countries that are of interest to Anatsa based on the number of financial applications that have been targeted.
This latest campaign shows the threat landscape that banks and financial institutions face in today’s digital world is shaping to be a bit of a problem. Imagine what would happen if we switched to an all-digital currency.
Photo by energepic.com, please support by following @pexel.com
The Prevention
The interesting problem is since transactions are being made from the same device, it’s proving to be very challenging for anti-fraud systems to find. Some ways that may help in securing your information are reading comments, reviews, and fishing through past user reviews before opting to download and install.
Be mindful that when it comes to downloading from third parties who require downloading from an unknown source you are to exercise extreme caution and scan before choosing to complete the installation.
Running scans and digging through comments can be a bit of a hassle but trying to quickly recover from having people leave with everything in your wallet could be more of a hassle.
Dave: It’s more than you knew yesterday, I’d say they’re pretty informative.
Photo by Edmond Dantes, please support by following @pexel.com
Made it this far and found this to be entertaining? Then a big thanks to you and please show your support by cracking a like, sharing this with whomever, scripting a comment, or plug-in to follow.
Would like to give sincere thanks to current followers and subscribers, your support and actions mean a lot and has a play in the creation of each script.
Do you feel like there is something I may have missed on Anatsa Trojan? Script a comment below.
