Thousands of Android users have been warned they must delete two dangerous decoy apps that are secretly stealing details and looting their bank account. The apps infiltrate devices with a banking trojan that can steal victims’ details.
The trojan, known as Anatsa or Teabot, has been spotted by cloud security company Zscaler. The apps are called ‘PDF Reader & File Manager’ and ‘QR Reader & File Manager’ and have been downloaded roughly 70,000 times.
Anatsa is an especially dangerous banking malware that appears harmless when the user first installs it but later downloads malicious code or a command-and-control server disguised as an app update. This allows the malware to evade detection on the Android app store.
READ MORE UK set for three sizzling 30C heatwaves with England ‘hotter than Portugal’
Once the malware successfully infects the device and begins communication with the C2 server, it scans the user’s device to detect any installed banking apps. It sends that information to the C2 server, which then sends back a fake login page for the detected apps. If you fall for this trick and enter your login information, it will be sent back to the server.
Zscaler researchers say that Anatsa primarily targets apps from financial institutions in the UK, but there have also been victims in the US, Germany, Spain, Finland, South Korea, and Singapore. “The recent campaigns conducted by threat actors deploying the Anatsa banking trojan highlight the risks faced by Android users, in multiple geographic regions, who downloaded these malicious applications from the Google Play store,” Zscaler says.
“Trojan apps are those that seem harmless, such as a simple game, but secretly perform undesirable actions in the background,” Kaspersky’s experts explained in a previous warning. “They include a benign component that allows the app to function as intended and a hidden harmful component, such as sending premium SMS messages from your device without your knowledge.”