Particle.news
Download on the App Store
3 ARTICLES
·
3h ago

Anatsa Android Banking Trojan Expands to 831 Targets as Google Pulls 77 Malicious Play Store Apps

Researchers detail a stealthier variant that installs its payload directly to evade review.

Android banking malware

Overview

  • Zscaler reports the latest Anatsa wave now targets 831 banking and cryptocurrency apps, expanding coverage to Germany and South Korea.
  • Operators used decoy utilities on Google Play, including a ‘Document Reader – File Manager’ app that fetched the malicious payload after installation.
  • The campaign shifts from remote DEX loading to direct installation from JSON files and employs malformed APKs, runtime DES string decryption, and emulation checks.
  • Once granted Accessibility privileges, Anatsa can overlay apps, tamper with notifications, read SMS, display phishing logins, and log keystrokes for data theft.
  • ThreatLabz identified 77 malicious Play Store apps with more than 19 million installs, mostly adware and Joker/Harly variants, which Google removed after the report.