The Anatsa malware is not new, since the first time we heard about it was in 2021. Now, like Joker or so many others, it refuses to die and returns with new variants, more and more more elaborate, capable of bypass all Android protections with one goal: to steal your money.
Threat Fabric analyzed the latest Anatsa campaign, with the new ways to evade detectiondeceive users and take control of the mobile phone to finally steal the money by manipulating the banking application.
This is how Anatsa works
Android malware today primarily works in two ways: with accessibility services and by downloading malicious code after installation. Google has been fighting against the former for a few versions, limited accessibility service
According to Threat Fabric, the most common method malicious agents continue to distribute malware on Google Play is: hide it in apps that have “justification” to use accessibility services, such as a system cleaner that claims to use them to hibernate applications.
The next step is to promote the app until I reach the Top 3 based on fake reviews, something we already know continues to be a problem despite Google’s attempts to control the issue. This is how the app reaches users (it reached at least 10,000 before being removed from Google Play), although it’s just the beginning of the journey.
One of the apps with Anatsa on Google Play. Capturing the threat structure
Anatsa uses the technique dropper, which means the app is ready to use, but a week later it will download the malicious code. The novelty here is that what it downloads first is not the malicious code, but the configuration of the malicious code downloader. This allows detection to be avoided, since the initial application thus avoids having references to remote code downloading, which causes alerts in the detection systems.
The end goal of the app is to have the malicious code and accessibility service active, in order to perform actions without user interventionlike opening the banking app and/or making payments.
According to Threat Fabric, seemingly harmless apps that later become Trojans are increasingly common on Google Play because they allow evade the protections introduced by Google in Android 13
In Android 13, apps installed outside of Google Play cannot enable the Accessibility Service until you remove their restriction, but since these apps are installed from Google Play, are not restricted.
The tips for protecting yourself against this type of threat are the usual ones: don’t trust unknown apps even if they are at the top of the App Store, especially if they ask for accessibility permission.
Malware creators have adapted their modus operandi to adapt to changes in Android. They are therefore focusing today on applications that They have an excuse to use the accessibility service. This permission is the main gateway to malware on Android, so it is essential not to grant it lightly.
Cover image | Generated with AI
More information | Threat Cloth
In Xataka Android | My Android has a virus: tips to avoid malicious apps and how to remove them
