Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com. Permissions such as Accessibility Service, which in previous campaigns was one of the core tactics abused to automate the installation process of Android banking trojans via dropper apps in Google Play. Anatsa's droppers pose mainly as QR code and PDF scanners (for example, an app called QR Code Generator) and cryptocurrency apps. urldate = {2022-05-17} In this moment, Anatsa payload is downloaded from the C2 server(s), and installed on the device of the unsuspecting victim. This is one of the core reasons of the significant success of mobile banking threat actors in sneaking into Googles trusted app store. In the first case, we observed Brunhilda posing as a QR code creator app, Brunhilda dropped samples from established families, like Hydra, as well as novel ones, like Ermac. How did a Anatsa malware infiltrate my computer? Bitcoin, Bitcoin Cash, Ethereum, Connect for Hotmail & Outlook: Mail and Calendar, PayPal Mobile Cash: Send and Request Money Fast, com.indra.itecban.triodosbank.mobile.banki, org.microemu.android.model.common.VTUserApplicationLINKMB, net.inverline.bancosabadell.officelocator.android, com.tarjetanaranja.emisor.serviciosClientes.appTitulares, pegasus.project.ebh.mobile.android.bundle.mobilebank, uk.co.metrobankonline.mobile.android.production, com.starfinanz.smob.android.sfinanzstatus, com.comarch.mobile.banking.bgzbnpparibas.biznes, Commerzbank Banking - The app at your side, Ita Empresas: Controle e Gesto do seu Negcio, Liquid by Quoine -, Western Union ES - Send Money Transfers Quickly, Earn Cash Reward: Make Money Playing Games & Music, Robinhood - Investment & Trading, Commission-free, Monese - Mobile Money Account for UK & Europe, Blockfolio - Bitcoin and Cryptocurrency Tracker, Okcoin - Buy & Trade Bitcoin, Ethereum, & Crypto, com.barclays.android.barclaysmobilebanking, Halifax: the banking app that gives you extra, com.q2e.texasdowcreditunion5004401st.mobile.production, com.q2e.unitedfcu5017android.ufcu.uwnmobile, UBS Access secure login for digital banking, UBS Mobile Banking: E-Banking and mobile pay, Swyftx Cryptocurrency Exchange - Buy, Sell & Trade. I have been working as an author and editor for pcrisk.com since 2010. However, in this case, it is done in a more inventive way: the payload is posed as a new package of workout exercises in conformity with the app. Therefore, high battery usage may indicate that the application is malicious. Also the same corresponding C2 server is used in all the other droppers. It can steal credentials, log keystrokes and capture the screen (obtain anything shown on the victim's screen). author = {Buguroo},
Anatsa is the name of a banking Trojan with remote administration Trojan (RAT) capabilities. Read reviews and comments, and check ratings before downloading and installing applications (even from legitimate platforms). For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app). 
This malicious dropper is published in the Google Play Store as a fake Antivirus, which really has two main goals (and commands to receive from C2): With this command, the app installed from the Google Play Store is able to install and enable Accessibility Permissions for the fully featured SharkBot sample it downloaded. author = {ThreatFabric}, These permissions allows Android banking malware to intercept all the accessibility events produced by the interaction of the user with the User Interface, including button presses, touches, TextField changes (useful for the keylogging features), etc. SharkBot includes one or two domains/URLs which should be registered and working, but in case the hardcoded C2 servers were taken down, it also includes a Domain Generation Algorithm (DGA) to be able to communicate with a new C2 server in the future. organization = {GBHackers on Security}, title = {{Toddler - Mobile Banking Botnet Analysis Report}}, Our threat intelligence shows that at the moment this dropper is used to distribute Alien banking trojan. The protocol used to communicate with the C2 servers is an HTTP based protocol. Keeping the software up-to-date is a good practice when it comes to device safety. How to check the battery usage of various applications? Anatsa was discovered by ThreatFabric in January 2021. However, it is only a template for a gym website with no useful information on it, even still containing Lorem Ipsum placeholder text in its pages. url = {https://www.bitdefender.com/blog/labs/new-flubot-and-teabot-global-malware-campaigns-discovered}, Moreover, the configuration contains filter rules based on device model. }, New FluBot and TeaBot Global Malware Campaigns Discovered, @online{threatfabric:202111:deceive:ec55fb1, @online{s:20220513:teabot:6b0a0e1, This incredible attention dedicated to evading unwanted attention renders automated malware detection less reliable. Scroll down until you see a potentially unwanted and/or malicious application, select it and tap "Uninstall". organization = {Cleafy}, In the paragraphs below we outline the Modus Operandi (MO) of each of the families distributed recently via Google Play. How to check the data usage of various applications? Shortly after we published this blogpost, we found several more SharkBot droppers in the Google Play Store. 
In the following image we can see the code of SharkBot used to intercept new notifications and automatically reply them with the received message from the C2. Tap "CLEAR DATA" and confirm the action by taping "DELETE". View all posts by RIFT: Research and Intelligence Fusion Team, RIFT: Research and Intelligence Fusion Team, https://play.google.com/store/apps/details?id=com.abbondioendrizzi.antivirus.supercleaner, https://play.google.com/store/apps/details?id=com.abbondioendrizzi.tools.supercleaner, https://play.google.com/store/apps/details?id=com.pagnotto28.sellsourcecode.alpha, https://play.google.com/store/apps/details?id=com.pagnotto28.sellsourcecode.supercleaner, View all posts by RIFT: Research and Intelligence Fusion Team, Rolf Govers, Malware analyst & Forensic IT Expert, a56dacc093823dc1d266d68ddfba04b2265e613dcc4b69f350873b485b9e1f1c (Google Play SharkBotDropper), 9701bef2231ecd20d52f8fd2defa4374bffc35a721e4be4519bda8f5f353e27a (Dropped SharkBot v1.64.1), 20e8688726e843e9119b33be88ef642cb646f1163dce4109b8b8a2c792b5f9fc (Google play SharkBot dropper), 187b9f5de09d82d2afbad9e139600617685095c26c4304aaf67a440338e0a9b6 (Google play SharkBot dropper), e5b96e80935ca83bbe895f6239eabca1337dc575a066bb6ae2b56faacd29dd (Google play SharkBot dropper), n3bvakjjouxir0zkzmd[. How to install the latest software updates? To achieve this, criminals use a multitude of techniques, which range from location checks to incremental malicious updates, passing by time-based de-obfuscation and server-side emulation checks. The device manufacturers are continually releasing various security patches and Android updates in order to fix errors and bugs that can be abused by cyber criminals. Screenshot of Anatsa trojan disguising as a legit application (QR Code Generator - QR Code Creator & QR Maker): Tap the "Menu" button (three dots on the right-upper corner of the screen) and select "History" in the opened dropdown menu. This leads us to the conclusion that the actor(s) behind these Alien campaigns use at least 2 different dropper services in their distribution strategy. Upon successful registration, and after communicating more detailed information about the device, the dropper is instructed by the C2 to download and install the payload package. We discovered the first dropper in June 2021 masquerading as an app for scanning documents. ALL RIGHTS RESERVED. However, you must keep in mind that all data within the device will be deleted, including photos, video/audio files, phone numbers (stored within the device, not the SIM card), SMS messages, and so forth. As mentioned before, ThreatFabric observed Brunhilda serving different malware families. When all conditions are met and the payload is ready, the user will be prompted to download and install it. The malware has received 95,000 installations via malicious apps in the Play Store. date = {2021-09-14}, The second most prolific of the malware families detailed by researchers at ThreatFabric is Alien,an Android banking trojanthat can also steal two-factor authentication capabilities and which has been active for over a year. Buy BTC Bitcoin Cash, Ethereum. author = {Gurubaran S}, This new wave of malware, which started in August 2021, includes also other families like Gustuff and Anatsa. Shortly after the dropper gets its configuration from the C2. As mentioned previously, not every device will receive the update. This spread strategy abusing the Direct Reply feature has been seen recently in another banking malware called Flubot, discovered by ThreatFabric. This capability is most likely to be used to steal credentials, credit card details, and other sensitive information. A second big factor behind their success is that actors have set restrictions, with mechanisms to ensure that the payload is installed only on the victims device and not on testing environments. Ignore suspicious SMS messages and irrelevant emails received from unknown addresses that contain links or attachments. You can also restore the basic system settings and/or simply network settings as well. To eliminate malware infections our security researchers recommend scanning your Android device with legitimate anti-malware software. After discovery we immediately reported this to Google. Anatsa can record keystrokes (log keyboard input), perform overlay attacks to steal credentials, remotely control the infected device, and capture the screen. Cybercriminals distribute Anatsa via apps (droppers) on Google Play. We have discovered Anatsa while inspecting apps (droppers) uploaded to Google Play. Read our privacy policy, To use full-featured product, you have to purchase a license for Combo Cleaner. Note that some malicious applications might be designed to operate when the device is connected to wireless network only. The apps dropped by this Brunhilda campaign do not differ in functioning too much from the previous versions we have observed during 2021. urldate = {2021-05-19} language = {English}, Scan this QR code to have an easy access removal guide of Anatsa banking trojan on your mobile device. }, Threat Actors Use Mockups of Popular Apps to Spread Teabot and Flubot Malware on Android, @online{threatfabric:20210519:anatsa:b359430, institution = {PRODAFT Threat Intelligence}, NCC Group, as well as many other researchers noticed a rise in Android malware last year, especially Android banking malware. A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques. Scroll down until you find "Chrome" application, select it and tap "Storage" option. Our latest findings show that Anatsa now utilizes Google Play dropper apps. url = {https://www.cleafy.com/documents/teabot}, organization = {Telekom}, We will also discuss the, sometimes forgotten, by-product of collecting contacts and keystrokes by Banking trojans, resulting in severe data leakage. Always use legitimate sources (platforms and websites) to download apps and files. This dropper, that we dubbed Gymdrop, is another example of how cybercriminals try to convince victims and detection systems that their app is legitimate. Anatsa is a quite powerful Android banking Trojan. This malware is most likely to be used to access banking apps. Tap "Download updates manually" and check if there are any updates available. Two important fields sent in the requests are: Those parameters are hardcoded and have the same value in the analyzed samples. Using this mode is a good way to diagnose and solve various issues (e.g., remove malicious applications that prevent users you from doing so when the device is running "normally"). urldate = {2022-02-01} However, the configuration file was not found on C2. author = {Jeroen Beckers}, At the moment of writing the SharkBot malware doesnt seem to have any relations with other Android banking malware like Flubot, Cerberus/Alien, Anatsa/Teabot, Oscorp, etc. A good example is the modification introduced on November 13th, 2021 by Google, which limits the use of the Accessibility Services, which was abused by earlier dropper campaigns to automate and install apps without user consent. organization = {nviso}, Brunhilda was observed dropping different malware families. All appear to behave identically; in fact, the code seems to be a literal a copy-paste in all of them. Anatsa is a rather advanced Android banking trojan with RAT and semi-ATS capabilities. Crypto Wallet, Bitstamp Buy & Sell Bitcoin at Crypto Exchange, Microsoft Outlook: Organize Your Email & Calendar, Blockchain Wallet. Copyright 2007-2022 PCrisk.com. What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint. In total, ThreatFabric analysts were able to identify 6 Anatsa droppers published in Google Play since June 2021. author = {ThreatFabric}, If your designated proposal does not fit in any other category, In most cases, it is designed to encrypt files, steal sensitive information, mine cryptocurrency, and (or) remotely control the infected device. language = {English}, url = {https://www.prodaft.com/m/reports/Toddler___TLPWHITE_V2.pdf},