Android banking trojan wants to drain your online bank account; delete these five apps now!

UPDATE: A Google spokesman reached out to us to give us the following statement. "All of these identified malicious apps have been removed from Google Play and the developers have been banned. Google Play Protect also protects users by automatically removing apps known to contain this malware on Android devices with Google Play Services."

Smartphone users in the U.S., U.K., Germany, Austria, and Switzerland are under attack by an Android trojan called 'Anatsa' which targets online banking customers in those countries. Trojan malware uses apps that hide their true intentions and once they get downloaded on your phone, the true nature of these apps becomes known similar to the story about the Trojan Horse.

ThreatFabric's analysts have been tracking campaigns that use apps located in the Google Play Store that deliver the banking trojan called Anatsa. The apps involved in this campaign have over 30,000 installations. The campaign targets 600 financial apps from around the world. The goal is to steal the credentials used by customers on banking apps and initiate fraudulent transactions by performing Device-Takeover Fraud (DTO).

After taking a six-month break, ThreatFabric (via BleepingComputer) saw indications of a new campaign this past March. An app listed in the Google Play Store, holding itself out as a PDF reader, would download the payload once it was installed. The payload, loaded from GitHub, was disguised as an add-on to the original app.

Once the app was reported to Google, it was removed from the Play Store. But a month later, the attackers added another app to the Play Store, this time a PDF viewer app, and once again a payload was downloaded to the app disguised as an add-on.

And once again, the dropper app was reported to Google and removed from the Play Store. Three more droppers were discovered in the Play Store last month and this month. It takes a couple of days to a couple of weeks for these malicious apps to be listed in the Play Store and as of this moment, there is an Anatsa dropper still listed in Google's Android app storefront.

According to  ThreatFabric, "Our analysis also reveals that the actors can have several apps published in the store at the same time under different developer accounts, however, only one is acting as malicious, while the other is a backup to be used after takedown. Such a tactic helps actors to maintain very long campaigns, minimizing the time needed to publish another dropper and continue the distribution campaign."

Once a device is infected, the trojan can collect sensitive information including credentials, credit card details, balance, and payment information. This data is used by the attackers to create transactions using the victim's bank account. Since these transactions use the same devices that the targeted bank customers usually use, it is hard for anti-fraud systems to spot illegal transactions.

Back in 2021, ThreatFabric discovered a previous Anatsa campaign on Google Play when the trojan was installed over 300,000 times by apps pretending to be PDF scanners, QR code scanners, Adobe Illustrator apps, and fitness tracker apps.

The latest Anatsa droppers (and their package names) include these five apps that were, at one time, available from the Google Play Store. The titles are:

PDF Reader - Edit & View PDF-lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools
PDF Reader & Editor-com.proderstarler.pdfsignature
PDF Reader & Editor-moh.filemanagerrespdf
All Document Reader & Editor-com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs
All Document Reader and Viewer-com.muchlensoka.pdfcreator

Even if they have been kicked out of the Play Store, should they still be installed on your phone, they can do damage. And remember, these are banking trojans that are looking to drain your bank accounts. So if you have any of these five on your Android handset, delete them immediately if not faster. And make it a point to check out your bank balance perhaps as much as several times a day to make sure that nothing funny is going on.