Hackers repeatedly bypass Google moderation by publishing malicious apps. How do they do it?
In November last year, researchers discovered an extension of the malicious activity of an Android Trojan called Anatsa to Slovakia, Slovenia and the Czech Republic. The extension is part of a new campaign, during which, despite the enhanced detection and protection mechanisms implemented in Google Play , some malicious downloaders successfully exploited the Android accessibility service.
According to ThreatFabric, all bootloaders used in this malicious campaign can easily cope with their task, bypassing the system restrictions of Android 13. In total, the campaign involves five loaders with a total number of installations of more than 100 thousand.
The Anatsa Trojan, also known as TeaBot and Toddler, is distributed through seemingly harmless apps on the Play Store. Once installed and launched, the Trojan is able to fully control infected devices and perform various actions on behalf of the victim, including stealing credentials for fraudulent transactions.
One of the versions of the downloader program disguised as a system cleaning application "Phone Cleaner-File Explorer" used a version control technique to inject malicious code. In other words, the app uploaded to Google Play at first did not contain any malicious code. All the malicious functionality was added with subsequent updates, when careful code moderation by Google, in fact, is no longer performed.
To avoid detection after the introduction of malicious functionality, attackers used a multi-stage infection process. The loader dynamically loaded the configuration and payload from the C2 server, which allowed hackers to change malicious components at will at any time.
Although the "Phone Cleaner-File Explorer" app is no longer available in the official Play Store, it can still be downloaded from third-party sources. According to AppBrain, the app was downloaded about 12,000 times between November 13 and 27 before being removed.
ThreatFabric notes the preference of attackers to concentrate their attacks on certain geographical regions, which leads to a large number of fraud cases in a short time.
After the release of the ThreatFabric report, Google representatives said that they had removed all the applications identified by the researchers, namely:
One of the applications at the time of its removal on February 19 managed to gain 100 thousand installations. Let's hope that users noticed something was wrong in time and removed the disguised dropper from their device.
Google notes that Android users are now automatically protected from known versions of the Anatsa malware thanks to the Play Protect feature, which is enabled by default on all devices running Google services.
The Play Protect feature can warn users and block apps that are known for malicious behavior, even if they don't come from the official Play Store.
But even though the threat has passed, and Google's security measures are constantly improving — you still shouldn't relax. To avoid becoming one of the victims of similar malware, never install questionable apps from unknown publishers, and pay close attention to the required permissions.
Access to the accessibility service should be a litmus test for you: if an application requests such permissions, it is most likely malicious.
In November last year, researchers discovered an extension of the malicious activity of an Android Trojan called Anatsa to Slovakia, Slovenia and the Czech Republic. The extension is part of a new campaign, during which, despite the enhanced detection and protection mechanisms implemented in Google Play , some malicious downloaders successfully exploited the Android accessibility service.
According to ThreatFabric, all bootloaders used in this malicious campaign can easily cope with their task, bypassing the system restrictions of Android 13. In total, the campaign involves five loaders with a total number of installations of more than 100 thousand.
The Anatsa Trojan, also known as TeaBot and Toddler, is distributed through seemingly harmless apps on the Play Store. Once installed and launched, the Trojan is able to fully control infected devices and perform various actions on behalf of the victim, including stealing credentials for fraudulent transactions.
One of the versions of the downloader program disguised as a system cleaning application "Phone Cleaner-File Explorer" used a version control technique to inject malicious code. In other words, the app uploaded to Google Play at first did not contain any malicious code. All the malicious functionality was added with subsequent updates, when careful code moderation by Google, in fact, is no longer performed.
To avoid detection after the introduction of malicious functionality, attackers used a multi-stage infection process. The loader dynamically loaded the configuration and payload from the C2 server, which allowed hackers to change malicious components at will at any time.
Although the "Phone Cleaner-File Explorer" app is no longer available in the official Play Store, it can still be downloaded from third-party sources. According to AppBrain, the app was downloaded about 12,000 times between November 13 and 27 before being removed.
ThreatFabric notes the preference of attackers to concentrate their attacks on certain geographical regions, which leads to a large number of fraud cases in a short time.
After the release of the ThreatFabric report, Google representatives said that they had removed all the applications identified by the researchers, namely:
- Phone Cleaner - File Explorer (com.volabs.androidcleaner)
- PDF Viewer - File Explorer (com.xolab.fileexplorer)
- PDF Reader - Viewer & Editor (com.jumbodub.fileexplorerpdfviewer)
- Phone Cleaner: File Explorer (com.appiclouds.phonecleaner)
- PDF Reader: File Manager (com.tragisoap.fileandpdfmanager)
One of the applications at the time of its removal on February 19 managed to gain 100 thousand installations. Let's hope that users noticed something was wrong in time and removed the disguised dropper from their device.
Google notes that Android users are now automatically protected from known versions of the Anatsa malware thanks to the Play Protect feature, which is enabled by default on all devices running Google services.
The Play Protect feature can warn users and block apps that are known for malicious behavior, even if they don't come from the official Play Store.
But even though the threat has passed, and Google's security measures are constantly improving — you still shouldn't relax. To avoid becoming one of the victims of similar malware, never install questionable apps from unknown publishers, and pay close attention to the required permissions.
Access to the accessibility service should be a litmus test for you: if an application requests such permissions, it is most likely malicious.
