Another serious warning for Android users, as dangerous apps are again caught stealing private information—including banking details. This time, the nasty twist is a malicious campaign specifically designed to attack Samsung devices.
Google’s never-ending battle to protect Android users from dangerous malware seems—to many—harder than it should. How is it that threat actors seem to be able to evade enhanced defenses so frequently, and so seemingly easily.
The latest report comes from ThreatFabric, which has identified the expansion of a known, very dangerous Android dropper—an app designed to fetch and install malware once on a device—to ever more users. “A unique aspect of this dropper was its malicious code,” the team warns, “specifically targeting Samsung devices.”
The Anatsa dropper is the latest malicious app designed to make use of accessibility services—the permissions that provide additional control over a device to help those with special needs. “The malicious AccessibilityService was tailored to interact with the UI elements of Samsung devices… This suggests that the threat actors initially developed and tested their code exclusively for Samsung devices.”
If one threat actor has decided to do this, and found a way, then others will not be far behind. And in a world where Samsung continues to see delays in rolling out security updates, that will be a cause for concern for millions of users.
That said, the researchers also warn that “we believe there is potential for future adaptations to target other manufacturers.” There were also droppers as part of the same campaign that “did not contain such manufacturer-specific code, posing a threat to all devices regardless of the vendor.”
Anatsa made headlines in 2023, but it has been seen at regular intervals since at least 2021, and always targets Google’s Play Store. ThreatFabric describes this latest surge, first detected in November, as “a significant shift… over the past four months, we have observed five distinct waves of this campaign, each focusing on different regions.” Targeted geographies now include the UK, Western and Eastern Europe.
The applications themselves are the typical free utility apps that seem to attract so many casual installs. “These applications often reach the Top-3 in the ‘Top New Free’ category, enhancing their credibility and lowering the guard of potential victims while increasing the chances of successful infiltration.”
Not only has Google been continually tightening the defenses around its Play Store, but it has also been specifically hardening the requirements for apps that wish to request accessibility permissions. And yet, here we are again.
“Under [Google’s] new policy, apps must provide a clear explanation for requiring AccessibilityService. This led to a noticeable decrease in its misuse by malicious droppers, which prompted a change in its operational methods… For an app to now use this service and be published on Google Play, it requires additional approval, significantly reducing the likelihood of malicious apps exploiting this feature.”
Apps seem to be able to get around this by uploading harmless code with a seemingly plausible (at a stretch) need for accessibility services; for example, “a cleaner app, claimed to require AccessibilityService as a means to ‘hibernate draining apps’.” Then, once safely entrenched on Play Store, updates add malicious code into the mix.
Google has previously told me that “Android has multi-layered protections that help keep users safe. Android users are currently protected against this by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”
Clearly, this isn’t a catch-all, leaving permissions as the only defense between apps you install and the data and functionality on your device—all the way to a complete takeover. I have approached Google for any comment on this latest report.
Despite this Play Store warning, the primary risk for Android users remains side-loading from third-party stores, and we have seen various protections introduced to help combat that threat, including safe browsing, which is going live at the moment.
In the instance of this kind of banking trojan, the aim is to steal credentials from users with accounts at specific banks. ThreatFabric describes this as “a critical threat,” with hundreds of thousands of overall installs thus far and an approach that looks likely to expand: “This enables them to concentrate on a limited number of financial organizations, leading to a high number of fraud cases in a short time.”
While ThreatFabric says it has advised the financial organizations targeted to warn customers against installing such free apps onto their devices, this applies much more widely. I cannot over-stress the dangers in casual app installs onto your devices, with equally casual agreement to permission requests that common sense alone should tell you are not needed for the app’s functionality.
As compelling as horoscopes, phone cleaners, PDF readers, flashlights and animated weather apps might be, the usual advice pertains. Don’t install apps unless you have some reason to trust the developer and the source.
This is the latest in a regular procession of Android warnings in recent weeks. We have seen VarjaSpy, SpyLoan, Xamalicious, to name but three. Be guarded against permissions and think through each before you say yes. Avoid free apps unless you trust the developer. And delete apps from your device at least semi-regularly. If it’s not in use and you installed it for no good reason, it’s better off in the trash.