Android Malware Targets Banking Apps

John Lister's picture

The latest malware targeting banking users may have infected up to 200,000 Android devices. The criminals behind Anatsa have deliberately exploited what's meant to be a useful feature that makes users' lives easier.

The attacks have some familiar features such as distributing the malware through free tools that perform some basic functions and finding ways around the Android permission system. What makes it a particularly nasty campaign is that it takes advantage of the Android Accessibility system.

Security researchers at ThreatFabric spotted the malware in five apps with similar names: Phone Cleaner - File Explorer, PDF Viewer - File Explorer, PDF Reader - Viewer & Editor, Phone Cleaner: File Explorer, and PDF Reader: File Manager. As is usual in such attacks, the apps appear to perform their advertised features and the problem is instead with their unadvertised activities.

Accessibility Tool Exploited

The attack required users to give permissions for access to specific elements of their phone, including the Accessibility Service. By design, this lets software operate with minimal intervention from the users, something that's very helpful in legitimate cases but potentially risky in the hands of malware scammers.

The request for this permission was "justified" by saying the app needed the ability to "hibernate battery-draining apps." That's an extremely plausible request given the advertised features of the app, so it would be easy for even alert users to be fooled. (Source:

Malware Installed Secretly

Once in placed, the rogue apps would download and install malware designed to capture online banking details. This "dropper" process was broken down into four separate steps carried out at intervals, an approach likely designed to bypass Google's detection programs.

The apps have all been withdrawn from the Google Play Store and thus can't be downloaded or reinstalled. However, as is Google's policy, they will remain installed on user devices until the user removes them.

That prompted a commenter on the LifeHacker site to ask "Why isn't Google automatically sending warnings to Android users who have these apps installed that they can be dangerous and stealing their banking info, if not forcing their deletion outright?" (Source:

What's Your Opinion?

How do you assess whether apps are potentially risky before you install them? Are there particular types of app that you never install? Should Google warn users about rogue apps or even remotely uninstall them?

Rate this article: 
Average: 5 (9 votes)


Dennis Faas's picture

For this reason I don't install many apps on my phone, because you never know what motives are behind them. The only apps I install are the bare minimum required to make my phone useful and only from legit sources (versus an obscure app from a Chinese software developer).

ronangel1's picture

I don't have any apps to do with banking or finance on my phone not even PayPal!
email is also not set up just text messages, and premium rate calls are blocked by the service provider.

Doccus's picture

Is that commenter right that Google isn't sending warnings to the people who actually have those apps installed, of the danger? That would imply that only the people who run into this news by chance even know about the issue. That's really irresponsible of Google, at least IMHO... Financial apps should be the most closely protected of all of them, considering the consequences when misappropriated by hackers.