Risk:
| high |
Damage: |
|
Platform(s): |
Android OS |
Advisory ID: |
|
Version: |
|
CVE: |
|
Published: |
|
Summary
ngCERT has identified a new version of the Anatsa banking trojan that targets Android devices and steals banking credentials and financial information from users. The trojan masquerades as a PDF and QR code reader and uses advanced remote-control and evasion techniques to bypass security measures and display fake login screens. The trojan has been distributed through various apps on the Google Play Store and has infected over 70,000 devices. ngCERT urges Android users to exercise caution when downloading apps and to follow the recommendations below to protect their devices and accounts.
Description & Consequence
The Anatsa banking trojan is a sophisticated malware that leverages Android's accessibility services to gain full control over the infected device and to carry out fraudulent transactions. The trojan is delivered through malicious apps that appear to be legitimate PDF and QR code readers or cleaner apps. These apps initially behave normally until they secretly download, decrypt, and execute the trojan's payload, which bypasses the restricted settings for accessibility services, mostly in Android 13. The trojan then establishes a connection with its command and control (C2) server and waits for instructions from the attacker. The trojan is capable of stealing the user's banking credentials, credit card details, and payment information by overlaying fake login screens on top of legitimate banking apps and by recording keystrokes. The trojan can also prevent the user from interacting with certain apps that are defined by the attacker and can download, upload, delete, install, and find files on the device.
Successful installation of this malware on any android device will allow the attacker to:
- Remotely interact with the device, including performing clicks, scrolls, and swipes, through Android's accessibility services.
- Launch phishing attacks to steal sensitive financial information and carry out transactions on the user's behalf.
- Prevent the user from accessing legitimate applications on the device, such as security apps or system settings.
Solution
ngCERT recommends the following actions to prevent or mitigate the infection by the Anatsa banking trojan:
- Avoid installing apps from unknown or untrusted sources and check the reviews and ratings of the apps before downloading them from the Google Play Store.
- Avoid calling numbers provided in unsolicited messages or emails and be wary of apps that ask for unnecessary or excessive permissions, such as accessibility services or installation of unknown apps.
- Uninstall any app suspected to contain the Anasta trojan and scan the device with a reputable antivirus app.
- Change the banking passwords and monitor the account activity for any suspicious transactions and report them to the respective banks.
- Use antivirus software and keep it updated to detect and remove malware and keep the Android device and apps updated to the latest versions.
Reference
Revision
