Another five hazardous infected apps were discovered: using the Anatsa trojan, they spied on the victims’ smartphones and stole the passwords of their bank accounts.
Infected Android apps that manage to “break through” the security measures of the Google Play Store without significant problems: Threat Intelligence has discovered and reported 5 of them, all very dangerous because they are infected with the Anatsa banking trojan. These apps managed, with a multi-step strategy, to steal the banking credentials of the victims’ online accounts.
The Five Infected Apps Were Discovered
Unlike previous infection campaigns, this time, the hackers did not hide the virus in gaming apps but in apparently valuable apps for managing the phone: 3 PDF file readers and two file managers.
The infected apps discovered by Threat Intelligence are these:
- Phone Cleaner
- PDF Viewer
- PDF Reader
- Phone Cleaner: File Explorer
- PDF Reader: File Manager
These apps are all infected with the Anatsa malware and have already exceeded 130 thousand downloads in Europe, with a focus on users from the United Kingdom, Spain, Slovakia, Slovenia, and the Czech Republic.
Because These Apps Are Dangerous
These five infected apps follow a well-tested spread and action pattern, which has allowed them to bypass the Play Store’s protections and operate undisturbed for months.
Initially, the app is uploaded to the Play Store in a ” clean ” version, without any malware inside, and then updated over time with the infected version. But right from the start, the app asks for some strategic permissions to function, such as the so-called ” accessibility services. “
Accessibility services are a technology included in Android that is as noble as it is dangerous: in practice, they allow the app to track the user’s behavior and everything that appears on the phone’s screen.
These services were designed to allow the functioning of apps dedicated to people with disabilities, significantly the visually impaired: by reading the screen, these apps can then use the speaker.
This same technology is also used by dangerous apps, such as the five just discovered, to spy on the screen. At the same time, the user enters sensitive data, for example, the username and password of the online bank account.
It is clear that if a hacker has both access credentials to the current account, it takes a few minutes to steal the victim’s money. Also, again, thanks to the accessibility services, he can read any OTP code that arrives on the phone necessary to authorize the payment or bank transfer.
In addition, some references to One UI, the graphical interface of Samsung smartphones, were also found within the code of these apps. This could mean that these apps were initially programmed to attack only smartphones of this brand, but later, their scope was extended to all Android phones.
How To Protect Yourself From These Apps
Threat Intelligence reported these five apps to Google, which immediately removed them from the Play Store. Those who look for them now, therefore, will no longer find them.
Even those who have installed them in the past, at least in theory, should no longer find them on their phone. This is because Android’s Play Protect system remotely instructs phones to delete all infected apps that are progressively excluded from the Play Store.
As always, however, our advice is to look for these apps on your smartphone because Play Protect may only sometimes work 100%.
As an excellent preventive security rule, however, we remind all our readers that it is essential to read the list of permissions requested by the apps carefully: it is clear that if a PDF reader or a file manager asks us to access the accessibility services, then something is wrong.
Also Read: How To Stop Android Apps From Tracking Your Location