Anatsa Android malware downloaded 150,000 times via Google Play

[Amphenomenon]

Anatsa is a banking Trojan malware which has the ability to steal banking credentials, log keystrokes and steal sensitive data from victims devices. It acts like a Remote Access Trojan (RAT) and gives the attacker the leverage to remotely control the malware in that device to carry out other attacks.

The Anatsa malware has been targeting Android users mainly across Europe, through malware droppers (this is a small program that assist in installing malware on device) hosted on Google play store.

Researchers at fraud detection company ThreatFabric noticed an increase of Anatsa activity since November, with at least 150,000 infections.

Each attack wave focuses on specific geographic regions and employs dropper apps crafted to reach the “Top New Free” categories on Google Play, lending them credibility and increasing the success rate.

The five malicious apps are:
Phone Cleaner - File Explorer (com.volabs.androidcleaner)
PDF Viewer - File Explorer (com.xolab.fileexplorer)
PDF Reader - Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)

These apps were created in such a way that Google play store wasn't able to identify, if it was actually malicious but after this issue was reported, the app's have been deleted from play store but still yet thousands of users have installed it earlier.

Some things to note about this

• Not all apps from trusted sources are good, because this is actually not the first time such Malicious apps have been found on Google and since hackers are creative and innovative they will always find ways to exploit any services with different schemes and so we have to be cautious.
• Check reviews and ratings before installing any application
• Be highly cautious of the kind of permission control you give to any application once they are installed or updated

https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downloaded-150-000-times-via-google-play

https://www.checkpoint.com/cyber-hub/cyber-security/what-is-trojan/what-is-a-banking-trojan/

[1714570470]

1714570470

[1714570470]

1714570470

[SamReomo]

These apps were created in such a way that Google play store wasn't able to identify, if it was actually malicious but after this issue was reported, the app's have been deleted from play store but still yet thousands of users have installed it earlier.

Google Play Store malware detecting algorithms are outdated and hackers know about that. That's why they have been able to add the malicious code easily without much problems. I think Google should improve their algorithms so in future all such applications with malware should be detected during the submission time. That way users can be safe from all such malware, in fact it's better to download only applications of the reputed vendors.

[tyz]

That's one of the reasons why I don't use Android. This is not the first time that malware or spyware packaged in a harmless app has been included in the Appstore. This has never happened with Apple. Even though many crypto apps encrypt the stored keys, I would never take the risk of running a wallet or other crypto apps on Android.

[BitMaxz]

I'm using Android but I haven't experienced some malware and spyware yet with my phone I always keep updating the security update on Samsung to make sure I have the most up-to-date data from the server and have Kaspersky antivirus.

If you are randomly downloading some apps on your phone you can be also one to fall to this trojan malware.
So people should be careful in installing any apps if they use their phone with some banking apps or crypto wallets only use them for that purpose if you are going to install other apps not related to financial(Bank or crypto) use other phones to avoid such malware.

[Zlantann]

Some things to note about this

• Not all apps from trusted sources are good, because this is actually not the first time such Malicious apps have been found on Google and since hackers are creative and innovative they will always find ways to exploit any services with different schemes and so we have to be cautious.

It is good that Google identified these malicious apps and brought them down. Let me add that it is better to download apps from the original website of the developer it might help reduce the chances of downloading these malicious apps.  

That's one of the reasons why I don't use Android. This is not the first time that malware or spyware packaged in a harmless app has been included in the App Store. This has never happened with Apple. Even though many crypto apps encrypt the stored keys, I would never take the risk of running a wallet or other crypto apps on Android.

Android is more prone to malware and using Apple might offer better security. However, there is no guarantee that Apple is fully fortified against attacks. There are cases where Apple users have been victims of such attacks. We need to be always security-conscious.

[Cantsay]

The five malicious apps are:
Phone Cleaner - File Explorer ()
PDF Viewer - File Explorer ()
PDF Reader - Viewer & Editor ()
Phone Cleaner: File Explorer ()
PDF Reader: File Manager ()

If you’ve ever used your phone to accessed a site that allows ads then you’ll know that all these apps you mentioned are the den of malware’s - there are times when you’ll be scrolling through the internet and you’ll suddenly receive a notification that your phone needs cleaning and you should download a phone cleaner or any similar apps.

This was part of the reasons I had to switch to iOS - not many apps can be installed without your permission and I believe you need to download from appstore before you can install it and during download process you’ll be ask for passcode which provides an additional security for the device. By the way thanks for the update @op.

[albon]

This teaches us that not all applications on Google Play are trustworthy and may be listed in their store and go beyond their algorithms and systems for detecting apps containing malicious codes and permissions. It may be that the thousands who downloaded these applications, most related to cleaners and PDFs, did not notice that these apps had been removed from Google Play after detecting issues. They may not notice that these apps that contain Anatsa Trojan threaten their phones' security.

Thank you, OP, for the pieces of advice you mentioned, and I would add that it is vastly preferable instead of relying on application reviews and ratings that could be false. It is recommended not to use the main phone used for cryptocurrency matters to download any unnecessary apps except for default phone apps. You can use a secondary phone with a trusted and well-known antivirus installed, such as Avira Antivirus.

[tabas]

Phone Cleaner - File Explorer (com.volabs.androidcleaner)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)

Do people really download these? AFAIK, most android phones have their built in cleaners and there's no need to download one. There's also the defragmentation which is enough to adjust and prolly clean some from the storage. I do understand if people are downloading pdf readers and viewers but the manufacturers should start to have them built in or most of them probably have because I can read PDF files without having the need to download these apps. It's what people need to do, explore their own smartphones without having the need to download anything since the feature they need was already built in on their phones.

• Check reviews and ratings before installing any application

Just to note that not all of these reviews and ratings are genuine. Always read them clearly because many of them could have been given a positive rating intentionally and is/are part of their group.

[Cryptoprincess101]

The five malicious apps are:
Phone Cleaner - File Explorer ()
PDF Viewer - File Explorer ()
PDF Reader - Viewer & Editor ()
Phone Cleaner: File Explorer ()
PDF Reader: File Manager ()

If you’ve ever used your phone to accessed a site that allows ads then you’ll know that all these apps you mentioned are the den of malware’s - there are times when you’ll be scrolling through the internet and you’ll suddenly receive a notification that your phone needs cleaning and you should download a phone cleaner or any similar apps.

Yeah, majority of those apps are malicious like sometimes after installing them it either begins to scan your phone automatically or it would notify you that you have some dangerous apps that needs cleaning and if you make an attempt to allow that cleaning, that's how you will just lose some of your vital apps or files stored in your phone.
Google really needs a serious upgrade on play store because the way hackers are going too extreme just to confuse or bypass some security checks is really alarming.

[Yamane_Keto]

Phone Cleaner, PDF Reader is a front for one of these viruses. It seems that the focus of these hackers is on people with average knowledge, as we are not careful when we download these applications when they have more than 50k downloads. The skill of these hackers is increasing rapidly, and I expect that applications that provide simple services such as photo filters, or Snapchat add-ons, and applications that are downloaded heavily will be next on the list.

[ImThour]

Out of those 150k times, most of them probably 70-80k are downloaded via their own google accounts using Bot scripts. They are also used to provide fake ratings to the app, also making it appear in some search suggestions due to the bot views/likes. Sad for those who already fell for such a scam. I mean it might be possible to catch these scammers, a company like Google can.

[sokani]

Check reviews and ratings before installing any application

Checking ratings and reviews are good but they're not always accurate. Some persons may be paid to hype all sorts of praises about these applications and unsuspecting users will blindly follow the reviews and install these apps on their devices.

Google Playstore has become a dumping ground for scammers, it has a poor vetting process and its approach has always been medicine after death. Android users can mitigate the risk of downloading malicious apps by using F-droid, a free android marketplace for open source applications.

[Crypt0Gore]

Phone memory cleaner and PDF viewers came preinstalled in my phone, I have seen many smartphone brands that have this apps installed on them by the OEM official ROM.

I don't blame those who fall victim, they must have thought that it's safe because it's not money app, some people are only careful with bank apps and crypto wallets but this topic will make them think again.

It doesn't have to be a money related app for hackers to get your data and files, even picture apps for fine tuning shots can be targets too, just like how many keyboard apps on playstore can't be trusted today.

Do not trust any store, either on android or iPhone, people this days will even uninstall google playstore from their phone because of this safety issue, new privacy custom ROMs like GrapheneOS and LineageOS removed google apps and services by default, be cautious handling your android phones.

[Amphenomenon]

These apps were created in such a way that Google play store wasn't able to identify, if it was actually malicious but after this issue was reported, the app's have been deleted from play store but still yet thousands of users have installed it earlier.

Google Play Store malware detecting algorithms are outdated and hackers know about that. That's why they have been able to add the malicious code easily without much problems. I think Google should improve their algorithms so in future all such applications with malware should be detected during the submission time. That way users can be safe from all such malware, in fact it's better to download only applications of the reputed vendors.

Majority of Android users don't know this, their belief is If it is in play store or if it recommended by Google it is safe but we know this is definitely far from it.

I'm using Android but I haven't experienced some malware and spyware yet with my phone I always keep updating the security update on Samsung to make sure I have the most up-to-date data from the server and have Kaspersky antivirus.

If you are randomly downloading some apps on your phone you can be also one to fall to this trojan malware.
So people should be careful in installing any apps if they use their phone with some banking apps or crypto wallets only use them for that purpose if you are going to install other apps not related to financial(Bank or crypto) use other phones to avoid such malware.

If you read this : https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downloaded-150-000-times-via-google-play
You will see Samsung is not an exception but I believe what have been keeping free from all these are the security measures you practice because when it comes to privacy and security we ought to responsibly cautious and not put our trust solely on any services.

Some things to note about this

• Not all apps from trusted sources are good, because this is actually not the first time such Malicious apps have been found on Google and since hackers are creative and innovative they will always find ways to exploit any services with different schemes and so we have to be cautious.

It is good that Google identified these malicious apps and brought them down. Let me add that it is better to download apps from the original website of the developer it might help reduce the chances of downloading these malicious apps.  

This was discovered by ThreatFabric researchers and this is not the first time an Anatsa banking Trojan has been found on playstore. Don't forget that Original website may redirect individuals to playstore but the main thing here is downloading a credible app for any services since there are many apps offering same services and some are malicious. In the end is just you rightly separating the sheeps from the Wolves .

Phone Cleaner - File Explorer (com.volabs.androidcleaner)
Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)

Do people really download these? AFAIK, most android phones have their built in cleaners and there's no need to download one. There's also the defragmentation which is enough to adjust and prolly clean some from the storage. I do understand if people are downloading pdf readers and viewers but the manufacturers should start to have them built in or most of them probably have because I can read PDF files without having the need to download these apps. It's what people need to do, explore their own smartphones without having the need to download anything since the feature they need was already built in on their phones.

These two apps might be installed by those who usually have that feeling that something is eating up their storage and they may be thinking this app may be helpful to them, while though most of newer Android phones comes with this apps default but not everyone may like the UI or UX of such apps in the device and so will try to download app offering such service.

Out of those 150k times, most of them probably 70-80k are downloaded via their own google accounts using Bot scripts. They are also used to provide fake ratings to the app, also making it appear in some search suggestions due to the bot views/likes. Sad for those who already fell for such a scam. I mean it might be possible to catch these scammers, a company like Google can.

Bot scripts are now so common for every hackers and scammers to use than paying others for download and ratings. Yes it maybe possible for Google though but I doubt they see it as an issue since this is not the first time such malware is found in playstore.
Here are references Of previous Anatsa banking Trojan including the previous one with Google https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa

[pinggoki]

When it comes to Google Play, you really do need to be careful when you download an app, they don't have the most restrictive kind of regulation in apps unlike with Apple Store. It's really sad that there's a victim of this, it kind of pains me to see that you're not safe even when you think that you're in a trusted place, Google Play really need to start doing some kind of overhaul and refurbishing with their platform because trust is a really big deal for many, if you're on your toes all the time when you're downloading something there then the experience of using it isn't worth it.

[Lucius]

I am very careful with the apps I install from GP and I always check them before I install them, and they are always apps that have been there for a long time and have several hundred thousand or even more than a million downloads. Although it is not a method that can protect you 100%, it is still better to have some method than to download everything randomly.

For those who don't want or don't have time to do thorough checks, it might not be a bad option to install a good antivirus program that could warn them and protect them from infection if they try to download such a malicious app.

[Churchillvv]

The sentiment on Android phones here is really not the case, I have both android and iOS phones but this viruses haven't been detected from iOS yet but it doesn't mean they don't have their own flaws.

As Lucius said you can just downloading good anti virus can help to who don't care about this viruses when downloading.

Op I appreciate your thoughts of bring us the updates. I wouldn't have been aware if not for this information.

[SamReomo]

Majority of Android users don't know this, their belief is If it is in play store or if it recommended by Google it is safe but we know this is definitely far from it.

That's the main reason why those so called malware developers are targeting them. Most of those Android users blindly trust of Google Play Store's protection and in their minds they think that which ever application is available on Play Store is a trusted one and we can use it without any worries about viruses and malware, but they aren't aware about the reality.

As long as an application is closed source, no one should trust it even if it comes from a trusted vendor. Closed source application can contain malicious code without any doubt and those who don't know that suffer from the malware when they install it in their smart phones or personal computers. I think those people need some kind of awareness so that they could be safe from such malware in future.

[moneystery]

even places that should be considered very secure for users to install applications have now become places for malware to get their victims. i don't know how these hackers can trick the google play security system into being able to put their applications there and how it is possible that google, as the party most responsible for the google play security system, cannot detect this.

this should be a concern for all of us, because perhaps not only this application, there may be more applications on google play that are actually malware and may have been installed on our devices without us realizing it.

[PX-Z]

e five malicious apps are:
Phone Cleaner - File Explorer ()
PDF Viewer - File Explorer ()
PDF Reader - Viewer & Editor ()
Phone Cleaner: File Explorer ()
PDF Reader: File Manager ()

For gods sake, i'm not fan of this kind of apps in my device, or even have similar of this, most are from big and reputed services only nothing else..

I think Google should improve their algorithms so in future all such applications with malware should be detected during the submission time. That way users can be safe from all such malware, in fact it's better to download only applications of the reputed vendors.

Not just algorithms for automatic approving, malware detection should be given as better, manually checking the codes should be strict, since it's required when you as a developer trying to list your app in PS for first version upload and in every update. Although they are more strict now than before but still got bypassed by malicious actors/users.