Anatsa Android malware downloaded 150,000 times via Google Play

[Amphenomenon]

Anatsa is a banking Trojan malware which has the ability to steal banking credentials, log keystrokes and steal sensitive data from victims devices. It acts like a Remote Access Trojan (RAT) and gives the attacker the leverage to remotely control the malware in that device to carry out other attacks.

The Anatsa malware has been targeting Android users mainly across Europe, through malware droppers (this is a small program that assist in installing malware on device) hosted on Google play store.

Researchers at fraud detection company ThreatFabric noticed an increase of Anatsa activity since November, with at least 150,000 infections.

Each attack wave focuses on specific geographic regions and employs dropper apps crafted to reach the “Top New Free” categories on Google Play, lending them credibility and increasing the success rate.

The five malicious apps are:
Phone Cleaner - File Explorer (com.volabs.androidcleaner)
PDF Viewer - File Explorer (com.xolab.fileexplorer)
PDF Reader - Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)

These apps were created in such a way that Google play store wasn't able to identify, if it was actually malicious but after this issue was reported, the app's have been deleted from play store but still yet thousands of users have installed it earlier.

Some things to note about this

• Not all apps from trusted sources are good, because this is actually not the first time such Malicious apps have been found on Google and since hackers are creative and innovative they will always find ways to exploit any services with different schemes and so we have to be cautious.
• Check reviews and ratings before installing any application
• Be highly cautious of the kind of permission control you give to any application once they are installed or updated

https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downloaded-150-000-times-via-google-play

https://www.checkpoint.com/cyber-hub/cyber-security/what-is-trojan/what-is-a-banking-trojan/

[SamReomo]

These apps were created in such a way that Google play store wasn't able to identify, if it was actually malicious but after this issue was reported, the app's have been deleted from play store but still yet thousands of users have installed it earlier.

Google Play Store malware detecting algorithms are outdated and hackers know about that. That's why they have been able to add the malicious code easily without much problems. I think Google should improve their algorithms so in future all such applications with malware should be detected during the submission time. That way users can be safe from all such malware, in fact it's better to download only applications of the reputed vendors.

[tyz]

That's one of the reasons why I don't use Android. This is not the first time that malware or spyware packaged in a harmless app has been included in the Appstore. This has never happened with Apple. Even though many crypto apps encrypt the stored keys, I would never take the risk of running a wallet or other crypto apps on Android.

[BitMaxz]

I'm using Android but I haven't experienced some malware and spyware yet with my phone I always keep updating the security update on Samsung to make sure I have the most up-to-date data from the server and have Kaspersky antivirus.

If you are randomly downloading some apps on your phone you can be also one to fall to this trojan malware.
So people should be careful in installing any apps if they use their phone with some banking apps or crypto wallets only use them for that purpose if you are going to install other apps not related to financial(Bank or crypto) use other phones to avoid such malware.

[Zlantann]

Some things to note about this

• Not all apps from trusted sources are good, because this is actually not the first time such Malicious apps have been found on Google and since hackers are creative and innovative they will always find ways to exploit any services with different schemes and so we have to be cautious.

It is good that Google identified these malicious apps and brought them down. Let me add that it is better to download apps from the original website of the developer it might help reduce the chances of downloading these malicious apps.  

That's one of the reasons why I don't use Android. This is not the first time that malware or spyware packaged in a harmless app has been included in the App Store. This has never happened with Apple. Even though many crypto apps encrypt the stored keys, I would never take the risk of running a wallet or other crypto apps on Android.

Android is more prone to malware and using Apple might offer better security. However, there is no guarantee that Apple is fully fortified against attacks. There are cases where Apple users have been victims of such attacks. We need to be always security-conscious.

[Cantsay]

The five malicious apps are:
Phone Cleaner - File Explorer ()
PDF Viewer - File Explorer ()
PDF Reader - Viewer & Editor ()
Phone Cleaner: File Explorer ()
PDF Reader: File Manager ()

If you’ve ever used your phone to accessed a site that allows ads then you’ll know that all these apps you mentioned are the den of malware’s - there are times when you’ll be scrolling through the internet and you’ll suddenly receive a notification that your phone needs cleaning and you should download a phone cleaner or any similar apps.

This was part of the reasons I had to switch to iOS - not many apps can be installed without your permission and I believe you need to download from appstore before you can install it and during download process you’ll be ask for passcode which provides an additional security for the device. By the way thanks for the update @op.

[albon]

This teaches us that not all applications on Google Play are trustworthy and may be listed in their store and go beyond their algorithms and systems for detecting apps containing malicious codes and permissions. It may be that the thousands who downloaded these applications, most related to cleaners and PDFs, did not notice that these apps had been removed from Google Play after detecting issues. They may not notice that these apps that contain Anatsa Trojan threaten their phones' security.

Thank you, OP, for the pieces of advice you mentioned, and I would add that it is vastly preferable instead of relying on application reviews and ratings that could be false. It is recommended not to use the main phone used for cryptocurrency matters to download any unnecessary apps except for default phone apps. You can use a secondary phone with a trusted and well-known antivirus installed, such as Avira Antivirus.

[tabas]

Phone Cleaner - File Explorer (com.volabs.androidcleaner)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)

Do people really download these? AFAIK, most android phones have their built in cleaners and there's no need to download one. There's also the defragmentation which is enough to adjust and prolly clean some from the storage. I do understand if people are downloading pdf readers and viewers but the manufacturers should start to have them built in or most of them probably have because I can read PDF files without having the need to download these apps. It's what people need to do, explore their own smartphones without having the need to download anything since the feature they need was already built in on their phones.

• Check reviews and ratings before installing any application

Just to note that not all of these reviews and ratings are genuine. Always read them clearly because many of them could have been given a positive rating intentionally and is/are part of their group.

[Cryptoprincess101]

The five malicious apps are:
Phone Cleaner - File Explorer ()
PDF Viewer - File Explorer ()
PDF Reader - Viewer & Editor ()
Phone Cleaner: File Explorer ()
PDF Reader: File Manager ()

If you’ve ever used your phone to accessed a site that allows ads then you’ll know that all these apps you mentioned are the den of malware’s - there are times when you’ll be scrolling through the internet and you’ll suddenly receive a notification that your phone needs cleaning and you should download a phone cleaner or any similar apps.

Yeah, majority of those apps are malicious like sometimes after installing them it either begins to scan your phone automatically or it would notify you that you have some dangerous apps that needs cleaning and if you make an attempt to allow that cleaning, that's how you will just lose some of your vital apps or files stored in your phone.
Google really needs a serious upgrade on play store because the way hackers are going too extreme just to confuse or bypass some security checks is really alarming.

[Yamane_Keto]

Phone Cleaner, PDF Reader is a front for one of these viruses. It seems that the focus of these hackers is on people with average knowledge, as we are not careful when we download these applications when they have more than 50k downloads. The skill of these hackers is increasing rapidly, and I expect that applications that provide simple services such as photo filters, or Snapchat add-ons, and applications that are downloaded heavily will be next on the list.

[ImThour]

Out of those 150k times, most of them probably 70-80k are downloaded via their own google accounts using Bot scripts. They are also used to provide fake ratings to the app, also making it appear in some search suggestions due to the bot views/likes. Sad for those who already fell for such a scam. I mean it might be possible to catch these scammers, a company like Google can.

[sokani]

Check reviews and ratings before installing any application

Checking ratings and reviews are good but they're not always accurate. Some persons may be paid to hype all sorts of praises about these applications and unsuspecting users will blindly follow the reviews and install these apps on their devices.

Google Playstore has become a dumping ground for scammers, it has a poor vetting process and its approach has always been medicine after death. Android users can mitigate the risk of downloading malicious apps by using F-droid, a free android marketplace for open source applications.

[Crypt0Gore]

Phone memory cleaner and PDF viewers came preinstalled in my phone, I have seen many smartphone brands that have this apps installed on them by the OEM official ROM.

I don't blame those who fall victim, they must have thought that it's safe because it's not money app, some people are only careful with bank apps and crypto wallets but this topic will make them think again.

It doesn't have to be a money related app for hackers to get your data and files, even picture apps for fine tuning shots can be targets too, just like how many keyboard apps on playstore can't be trusted today.

Do not trust any store, either on android or iPhone, people this days will even uninstall google playstore from their phone because of this safety issue, new privacy custom ROMs like GrapheneOS and LineageOS removed google apps and services by default, be cautious handling your android phones.

[Amphenomenon]

These apps were created in such a way that Google play store wasn't able to identify, if it was actually malicious but after this issue was reported, the app's have been deleted from play store but still yet thousands of users have installed it earlier.

Google Play Store malware detecting algorithms are outdated and hackers know about that. That's why they have been able to add the malicious code easily without much problems. I think Google should improve their algorithms so in future all such applications with malware should be detected during the submission time. That way users can be safe from all such malware, in fact it's better to download only applications of the reputed vendors.

Majority of Android users don't know this, their belief is If it is in play store or if it recommended by Google it is safe but we know this is definitely far from it.

I'm using Android but I haven't experienced some malware and spyware yet with my phone I always keep updating the security update on Samsung to make sure I have the most up-to-date data from the server and have Kaspersky antivirus.

If you are randomly downloading some apps on your phone you can be also one to fall to this trojan malware.
So people should be careful in installing any apps if they use their phone with some banking apps or crypto wallets only use them for that purpose if you are going to install other apps not related to financial(Bank or crypto) use other phones to avoid such malware.

If you read this : https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downloaded-150-000-times-via-google-play
You will see Samsung is not an exception but I believe what have been keeping free from all these are the security measures you practice because when it comes to privacy and security we ought to responsibly cautious and not put our trust solely on any services.

Some things to note about this

• Not all apps from trusted sources are good, because this is actually not the first time such Malicious apps have been found on Google and since hackers are creative and innovative they will always find ways to exploit any services with different schemes and so we have to be cautious.

It is good that Google identified these malicious apps and brought them down. Let me add that it is better to download apps from the original website of the developer it might help reduce the chances of downloading these malicious apps.  

This was discovered by ThreatFabric researchers and this is not the first time an Anatsa banking Trojan has been found on playstore. Don't forget that Original website may redirect individuals to playstore but the main thing here is downloading a credible app for any services since there are many apps offering same services and some are malicious. In the end is just you rightly separating the sheeps from the Wolves .

Phone Cleaner - File Explorer (com.volabs.androidcleaner)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)

Do people really download these? AFAIK, most android phones have their built in cleaners and there's no need to download one. There's also the defragmentation which is enough to adjust and prolly clean some from the storage. I do understand if people are downloading pdf readers and viewers but the manufacturers should start to have them built in or most of them probably have because I can read PDF files without having the need to download these apps. It's what people need to do, explore their own smartphones without having the need to download anything since the feature they need was already built in on their phones.

These two apps might be installed by those who usually have that feeling that something is eating up their storage and they may be thinking this app may be helpful to them, while though most of newer Android phones comes with this apps default but not everyone may like the UI or UX of such apps in the device and so will try to download app offering such service.

Out of those 150k times, most of them probably 70-80k are downloaded via their own google accounts using Bot scripts. They are also used to provide fake ratings to the app, also making it appear in some search suggestions due to the bot views/likes. Sad for those who already fell for such a scam. I mean it might be possible to catch these scammers, a company like Google can.

Bot scripts are now so common for every hackers and scammers to use than paying others for download and ratings. Yes it maybe possible for Google though but I doubt they see it as an issue since this is not the first time such malware is found in playstore.
Here are references Of previous Anatsa banking Trojan including the previous one with Google https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa

[pinggoki]

When it comes to Google Play, you really do need to be careful when you download an app, they don't have the most restrictive kind of regulation in apps unlike with Apple Store. It's really sad that there's a victim of this, it kind of pains me to see that you're not safe even when you think that you're in a trusted place, Google Play really need to start doing some kind of overhaul and refurbishing with their platform because trust is a really big deal for many, if you're on your toes all the time when you're downloading something there then the experience of using it isn't worth it.

[Lucius]

I am very careful with the apps I install from GP and I always check them before I install them, and they are always apps that have been there for a long time and have several hundred thousand or even more than a million downloads. Although it is not a method that can protect you 100%, it is still better to have some method than to download everything randomly.

For those who don't want or don't have time to do thorough checks, it might not be a bad option to install a good antivirus program that could warn them and protect them from infection if they try to download such a malicious app.

[Churchillvv]

The sentiment on Android phones here is really not the case, I have both android and iOS phones but this viruses haven't been detected from iOS yet but it doesn't mean they don't have their own flaws.

As Lucius said you can just downloading good anti virus can help to who don't care about this viruses when downloading.

Op I appreciate your thoughts of bring us the updates. I wouldn't have been aware if not for this information.

[SamReomo]

Majority of Android users don't know this, their belief is If it is in play store or if it recommended by Google it is safe but we know this is definitely far from it.

That's the main reason why those so called malware developers are targeting them. Most of those Android users blindly trust of Google Play Store's protection and in their minds they think that which ever application is available on Play Store is a trusted one and we can use it without any worries about viruses and malware, but they aren't aware about the reality.

As long as an application is closed source, no one should trust it even if it comes from a trusted vendor. Closed source application can contain malicious code without any doubt and those who don't know that suffer from the malware when they install it in their smart phones or personal computers. I think those people need some kind of awareness so that they could be safe from such malware in future.

[moneystery]

even places that should be considered very secure for users to install applications have now become places for malware to get their victims. i don't know how these hackers can trick the google play security system into being able to put their applications there and how it is possible that google, as the party most responsible for the google play security system, cannot detect this.

this should be a concern for all of us, because perhaps not only this application, there may be more applications on google play that are actually malware and may have been installed on our devices without us realizing it.

[PX-Z]

e five malicious apps are:
Phone Cleaner - File Explorer ()
PDF Viewer - File Explorer ()
PDF Reader - Viewer & Editor ()
Phone Cleaner: File Explorer ()
PDF Reader: File Manager ()

For gods sake, i'm not fan of this kind of apps in my device, or even have similar of this, most are from big and reputed services only nothing else..

I think Google should improve their algorithms so in future all such applications with malware should be detected during the submission time. That way users can be safe from all such malware, in fact it's better to download only applications of the reputed vendors.

Not just algorithms for automatic approving, malware detection should be given as better, manually checking the codes should be strict, since it's required when you as a developer trying to list your app in PS for first version upload and in every update. Although they are more strict now than before but still got bypassed by malicious actors/users.

[SamReomo]

Not just algorithms for automatic approving, malware detection should be given as better, manually checking the codes should be strict, since it's required when you as a developer trying to list your app in PS for first version upload and in every update. Although they are more strict now than before but still got bypassed by malicious actors/users.

It's first time I'm hearing that, is it strange that all programmers need to share their code to Google in order to get their application listed on their store? Are you sure about what you said? I mean highly reputed vendors may hesitate to share their code to Google or anyone else because sharing of that code may allow others to easily make similar applications with less effort.

Since you said that then I guess in that case malware developers might share fake code first which's free from malware and when they compile the application then they may include the malware in it. Google might think that the applications source code was free from malware and the actual compiled APK might also be free from all such malware.

[PX-Z]

It's first time I'm hearing that, is it strange that all programmers need to share their code to Google in order to get their application listed on their store? Are you sure about what you said? I mean highly reputed vendors may hesitate to share their code to Google or anyone else because sharing of that code may allow others to easily make similar applications with less effort.

Since you said that then I guess in that case malware developers might share fake code first which's free from malware and when they compile the application then they may include the malware in it. Google might think that the applications source code was free from malware and the actual compiled APK might also be free from all such malware.

It's not actually the whole source code, it's the app bundle where everything is there for them to see, also apk file can be decompiled using certain tools to see the source code of the app. Although we are not certain the internal process of how they scan and accept the developer's app, probably someone tests it. Because Google asks different questions that can be seen inside your app when you first upload the first version of the app. But after this process they become too lenient in some way, this was way back 2020 when im working as mobile frontdev. Idk how the process in still going after they "update" their policy etc.

[tabas]

Phone Cleaner - File Explorer (com.volabs.androidcleaner)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)

Do people really download these? AFAIK, most android phones have their built in cleaners and there's no need to download one. There's also the defragmentation which is enough to adjust and prolly clean some from the storage. I do understand if people are downloading pdf readers and viewers but the manufacturers should start to have them built in or most of them probably have because I can read PDF files without having the need to download these apps. It's what people need to do, explore their own smartphones without having the need to download anything since the feature they need was already built in on their phones.

These two apps might be installed by those who usually have that feeling that something is eating up their storage and they may be thinking this app may be helpful to them, while though most of newer Android phones comes with this apps default but not everyone may like the UI or UX of such apps in the device and so will try to download app offering such service.

I know that there are those users that don't mind downloading these apps and they don't have an idea that these contains the obvious malware or something that's going to make their smartphones even slower. I remember that there were people that even download "additional ram" on their phone through playstore and that's funny though but it is for real. They think that these apps really are going to make their phones perform better and these hackers are able to inject these malware on these apps that they develop.

[Sandra_hakeem]

It's very appalling that android users don't know most of this viral malwares and it's right beneath Their nose...
I'm not gonna put too much blame on them as they wouldn't indulge in downloading them apps in the first place, should they know what it is - but GOOGLE play store?? What's their fuckin problem?... Yeah, they've added a tap-in button that can flag some apps as inappropriate - but what if this happened already without their notice? 150,000 times? ain't no way!! This people must solely be after the money they make.

Sandra 🧑‍🦰

[lixer]

That's one of the reasons why I don't use Android. This is not the first time that malware or spyware packaged in a harmless app has been included in the Appstore. This has never happened with Apple. Even though many crypto apps encrypt the stored keys, I would never take the risk of running a wallet or other crypto apps on Android.

Let's not make this another debate about Apple vs Android and the ever-lasting rivalry between the two brands because whether it's Apple or Android, things like these can happen in both of them, I believe the reason why they mostly target Android is because they know it has a higher user base and it also allows more freedom for the users when it comes to installing applications and software and giving access to them.

I know it's a flaw and they need to work on it, but I don't agree that the same can't be done on Apple because hackers and exploiters can always find a way to do the same with Apple as well but they know they are going to get more people to target with Android so they probably keep it their primary target.

[Cricktor]

There's a significant difference between Apple and Android here: to be able to publish apps on Apple's app store you need a paid account that adds cost for evil entities and a credit card. A Google developer account to publish apps on Google Play Store is for free as far as I remember.

Once your malicious apps have been detected you can bet Apple will suspend or cancel your dev account, of course without any reimbursement. I'm not sure though if this is a key reason that malware seems to appear less in Apple's app store which isn't immune to malware.

[jrrsparkles]

That's one of the reasons why I don't use Android. This is not the first time that malware or spyware packaged in a harmless app has been included in the Appstore. This has never happened with Apple. Even though many crypto apps encrypt the stored keys, I would never take the risk of running a wallet or other crypto apps on Android.

Well App store have same situation too but the number of occurrences may differ but you can't say that it never happened on IOS app store cause it happens there too.

If you are running a crypto wallet on a smartphone then try to keep it as stock, installing more apps can do harms like this and at last use the apps that's known for years, not because it's in the top rank in your region/country.

[Cricktor]

An app that's known for years is no guarantee to stay clean. There's always the possibility that an app gets entirely sold to some new owner who has some nefarious plans with it. A significant user base is attractive to evil entities. After being sold the new owner continues at first to maintain the app, maybe even introduce new features or gimmicks.

Then what if the app turns slowly but hidden evil with some updates that the user base happily installs or is installed automatically. Disguised payload dropper components are introduced, piece by piece.

I didn't keep track of sources, but this has happened in the past. If I remember correctly there was some QR code reader app that became evil. There are surely more examples... (sorry, no sources for this; you don't have to believe, just use your imagination)