More than 50,000 North American banking app users have been compromised with the Anatsa Android banking trojan through the malicious "Document Viewer - File Reader" app on the Google Play Store, reports BleepingComputer.
Threat actors uploaded a clean version of the app on the Play Store before embedding malicious code that retrieves the Anatsa payload installed as a dedicated app once the app had amassed significant downloads, according to an analysis from ThreatFabric. Illicit activity of the Document Viewer - File Reader was noted to have been conducted from June 24 to 30, or six weeks following its initial upload on Google Play. Such a development comes after Anatsa was reported to have been spread through nefarious apps in several campaigns since November 2021. Google said that all of the said apps have already been removed from its store. "Users are automatically protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services," said a Google spokesperson.
Threat actors uploaded a clean version of the app on the Play Store before embedding malicious code that retrieves the Anatsa payload installed as a dedicated app once the app had amassed significant downloads, according to an analysis from ThreatFabric. Illicit activity of the Document Viewer - File Reader was noted to have been conducted from June 24 to 30, or six weeks following its initial upload on Google Play. Such a development comes after Anatsa was reported to have been spread through nefarious apps in several campaigns since November 2021. Google said that all of the said apps have already been removed from its store. "Users are automatically protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services," said a Google spokesperson.
