Android users, in particular Samsung users, have been warned about dangerous apps that have been caught stealing private information, including bank information.
The latest report comes from a source that has identified the expansion of a known, very dangerous Android dropper, which is an app that was designed to fetch and install malware on a device.
“A unique aspect of this dropper was its malicious code, specifically targeting Samsung devices.”
The Anatsa dropper is the latest malicious app designed to use accessibility services, which are permissions providing additional control over a device to assist those with special needs.
“The malicious AccessibilityService was tailored to interact with the UI elements of Samsung devices… This suggests that the threat actors initially developed and tested their code exclusively for Samsung devices.”
If one threat actor makes its way in, others aren’t far behind, especially when Samsung continues seeing delays in rolling out security updates, becoming a cause for concern.
It was also warned that “we believe there is potential for future adaptations to target other manufacturers.”
Other droppers were found as part of the same campaign which “did not contain such manufacturer-specific code, posing a threat to all devices regardless of the vendor.”
Anatsa made headlines last year, but has been seen regularly since 2021 at least. It always targets Google’s Play Store.
First detected in November, the latest surge has been described as “a significant shift… over the past four months, we have observed five distinct waves of this campaign, each focusing on different regions.”
Targeted nations now include the UK, Western and Eastern Europe.
The apps are usually typical free utility apps that appear to attract many casual installs.
“These applications often reach the Top-3 in the ‘Top New Free’ category, enhancing their credibility and lowering the guard of potential victims while increasing the chances of successful infiltration.”
Google has been continually tightening the defence around its Play Store, as well as hardening requirements for apps that want to request accessibility permissions.
“Under [Google’s] new policy, apps must provide a clear explanation for requiring AccessibilityService. This led to a noticeable decrease in its misuse by malicious droppers, which prompted a change in its operational methods… For an app to now use this service and be published on Google Play, it requires additional approval, significantly reducing the likelihood of malicious apps exploiting this feature.”
The apps seem to surpass this by uploading harmless code with a seemingly plausible need for accessibility services, including “a cleaner app, claimed to require AccessibilityService as a means to ‘hibernate draining apps.’”
Then, once safely on the Play Store, updates add malicious code.
A Google spokesperson has said “all the apps identified in the report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Despite this warning, the primary risk for Android users remains side-loading from third-party stores.
In the instance of banking, the aim is to steal credentials from users with accounts at specific banks. It’s been described as “a critical threat,” as hundreds of thousands of installs have occurred so far.
“This enables them to concentrate on a limited number of financial organisations, leading to a high number of fraud cases in a short time.”
The financial organisations have been advised to warn customers against installing free apps onto devices, which applies widely.
This is the latest in a range of Android warnings over recent weeks. To name three, there’s already been warnings about VarjaSpy, SpyLoan, and Xamalicious.
Users have been urged to be guarded against permissions, and to think through each one before saying yes.
They’ve also been urged to avoid free apps unless the developer is trusted, and to delete apps from devices semi-regularly at least.
If the app isn’t in use, or it was installed for no good reason, the best advice is to delete it.