Latest news with #ThreatFabric
Arabian Post
09-07-2025
- Business
- Arabian Post
Anatsa Trojans Strike U.S. and Canadian Mobile Bankers
Security analysts have uncovered a new campaign delivering the Anatsa Android banking trojan to users in the U. S. and Canada via a seemingly legitimate app on Google Play. This marks the third major wave of North American targeting by the threat actor, raising fresh concerns around mobile banking security. The malicious app, masked as a 'Document Viewer – File Reader,' gained traction in the U. S. top‑three list for free tools before being weaponised roughly six weeks after its initial May release. Downloads reached at least 50,000 before Google removed the app in early July. Anatsa's operators employ a proven two‑stage infiltration tactic: a benign‑looking utility app is first published, allowed to amass users, then updated to include a dropper that silently installs the trojan. Once deployed, Anatsa connects to a command‑and‑control server to retrieve configuration files listing targeted banking apps. The malware is capable of credential harvesting through keystroke logging and overlay screens, and can perform automated device‑takeover fraud. A newly identified overlay message reads, 'Scheduled Maintenance … enhancing our services,' blocking customer access to banking apps and delaying detection. ADVERTISEMENT This campaign is noteworthy for its expanded U. S. bank target list. ThreatFabric has confirmed the inclusion of major institutions such as JPMorgan, Capital One, TD Bank and Charles Schwab in the trojan's hit‑list. Analysts warn that Anatsa's operators are evolving their methods. Cequence CISO Randolph Barr anticipates future variants may use 'AI‑personalised overlays' to bypass multi‑factor authentication or employ real‑time modular payloads loaded post‑installation. This campaign parallels earlier Anatsa outbreaks: one in mid‑2024 affected around 70,000 users in Europe by mimicking QR code and PDF reader apps, and June 2023 saw North American infections of approximately 30,000. Google has removed the fraudulent app and Play Protect has flagged similar threats. Users are urged to uninstall the Document Viewer–style app, run full scans via Play Protect, and reset any banking credentials. Experts recommend cautious scrutiny of app permissions, developer credentials, and user reviews—even for apps from official stores. Financial institutions are advised to intensify monitoring of anomalous login activity and deploy alerts for account takeover patterns. Mobile banking continues to lure sophisticated trojans like Anatsa. As its operators refine their techniques and broaden geographic targeting, both end users and institutions face growing responsibility to defend against a landscape where even official marketplaces are not fool‑proof.
Tom's Guide
08-07-2025
- Tom's Guide
This dangerous banking trojan now uses scheduled maintenance to hide its malicious activities — don't fall for this
Even if you stick to official app stores, you could end up downloading a malicious app, which is exactly what happened to 50,000 Android users who accidentally installed a dangerous banking trojan on their devices. As reported by BleepingComputer, the Anatsa banking trojan is back as part of a new campaign that uses a malicious app posing as a PDF viewer to infect unsuspecting users of the best Android phones. The discovery was made by security researchers at Threat Fabric who have been tracking Anatsa for years. The banking trojan is often hidden in popular utilities, and to date, it has been downloaded almost a million times. What makes malware like this particularly dangerous is that it's designed to target popular banking and finance apps. From JP Morgan to Capital One to TD Bank and others, Anatsa can impersonate them all and the banking trojan does this through overlay attacks. While you might think you're logging into your bank account, if your phone is infected, you're actually handing over your credentials to hackers who can then use them to drain your accounts and steal your hard-earned cash. Here's everything you need to know about this latest Anasta campaign, including some tips and tricks to help keep you and your devices safe from Android malware. Although it has since been removed, Threat Fabric's researchers recently found the Anatsa banking trojan hiding in a PDF viewer app on the Google Play Store called 'Document Viewer – File Reader' published by the developer 'Hybrid Cars Simulator, Drift & Racing,' according to a new report. Based on a screenshot of the app's download page taken by the cybersecurity firm, more than 50,000 Android users downloaded this malicious app before it was taken down. If you did download this app, you should stop what you're doing and immediately manually remove it from your phone. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. Just like with other malicious apps, Threat Fabric found that this one used a sneaky tactic where the app was 'clean' until it raked up enough users. Once it became popular, though, its creator or hackers who hijacked the app then added malicious code to it via an update. As you might have guessed, this injected code contains the Anatsa banking trojan, which is installed on a vulnerable Android device as a separate app. By connecting to a hacker-controlled server, malware is able to get a list of targeted apps, then looks for them on the infected device. If any of them are found, then overlay attacks are used to steal user credentials from them. This latest campaign adds a new trick, though, to prevent users from taking action until it's too late. You know those 'down for scheduled maintenance' error messages you often see when trying to check your account balance? Well, Anatsa now shows them too over your legitimate banking apps to hide its malicious activities in the background, and by the time the message is gone, so too are your banking credentials. Google has since removed the latest malicious app spreading the Anatsa banking trojan from the Play Store. However, if you did download it, you need to remove it and then run a full system scan using Google Play Protect. Likewise, it's also recommended that you reset your bank credentials just in case they ended up in the wrong hands. While I often recommend sticking to official app stores and not sideloading apps, this doesn't always work due to malicious apps. For this reason, even if you're extra careful when installing new apps, you could accidentally end up infecting your Android phone with malware. This is why you want to carefully scrutinize any app you're thinking about installing. Check its rating and reviews on the Play Store, and since these can be faked, you also want to look for external reviews on other sites. Video reviews are even better if you can find them, since they give you a chance to see the app in question in action before you download it. At the same time, you also want to limit the number of apps you have installed on your phone overall. The reason for this is that with fewer apps, you're less likely to have one of the apps you do have installed go bad after an update. Likewise, it's always a good idea to stick to known, trusted developers when installing new apps. You also want to ask yourself if you really need a new app or if one of your existing apps or even your phone itself can accomplish the same functionality. As for staying safe from Android malware, you want to make sure that Google Play Protect is enabled on your phone. This free and pre-installed security app scans all of your existing apps and any new ones you download for malware to help keep you and your devices safe. However, for extra protection, you may want to consider installing one of the best Android antivirus apps alongside it. Malicious apps are one of the easiest ways for hackers to establish a foothold on your devices, and as a result, I don't see them going away anytime soon. This is why you always need to be extra careful when installing new apps on your phone, even if they come from official app stores.
Forbes
08-07-2025
- Forbes
If This App Is Installed On Your Smartphone, Delete It Now
Delete this app today. 'Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform,' Google says. Maybe so. But a malicious threat that has been flagged many times in the past has just been found on Play Store again, attacking thousands of Android phones and putting users at risk. This should not happen. But it does. Even with some of the most prolific threats targeting Android users. As is the case this time around with Anatsa, a banking trojan that hijacks apps on your phone to steal your credentials and then your money. If your phone is infected with this malware, when you open your banking app you'll see an overlay screen telling you the app is down for schedule maintenance. But this fake overlay simply obscures the app as it is being attacked in the background. The developers behind the malware publish legitimate apps on Play Store and leave them alone while they garner downloads and (real or fake) reviews. Then the app is updated with the malware onboard. At that point the attacks start. Delete this app immediately. The latest warning comes courtesy of ThreatFabric, which has been tracking Anatsa for years. The app you need to delete if it's installed on your phone is 'Document Viewer — File Reader,' the exact type of free app from unknown sources you should avoid. ThreatFabric 'has been monitoring Anatsa's activity since 2020 and recognizes the group as one of the most prolific operators in the mobile crimeware landscape. Their campaigns have consistently demonstrated a high level of success.' The latest iteration of Anatsa has targeted users in North America, securing tens of thousands of installs. Anatsa returns repeatedly with these same tactics. Enabling Play Protect is critical, but also take care as to the number of free apps you install. Just days ago, we saw a warning from Satori as hundreds of apps were also found on Play Store attacking phones, in that instance with adware. Anatsa is more dangerous, but the advice to stay safe is broadly the same. If you do have the app installed, then check your accounts and change your passwords to be safe. Google has deleted the app from Play Store and will have updated Play Protect. But you need to delete it from your phone as well.
Fox News
19-06-2025
- Fox News
Android malware poses as fake contacts to steal your personal data
Hacking keeps evolving, just like any other profession. Cybercriminals are always upgrading their tools, especially malware, to find new ways to scam people and steal data or money. The old tricks no longer work as well. Basic phishing rarely fools anyone twice, so hackers constantly look for new ways to break in. They rely on whatever grabs your attention and doesn't raise suspicion, things like social media ads, fake banking apps or updates that look completely normal. One of the fastest-growing threats in this space is Crocodilus. First detected in early 2025, this Android banking Trojan takes over your contact list to make its scams look more legitimate and harder to spot. Sign up for my FREE CyberGuy ReportGet my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide — free when you join. The Crocodilus malware was first documented by ThreatFabric cybersecurity researchers in late March 2025. They highlighted its extensive data theft and remote control capabilities. Crocodilus uses Facebook to infect devices. It appears in ads that look normal, but once clicked, the malware installs itself on your device. In some cases, it mimicked banking and e-commerce apps in Poland, promising users free points in exchange for downloading an app. The link led to a fake site that delivered the malware. Although the ad was only live for a few hours, it still reached thousands of users, most of whom were over 35, a group more likely to have money in the bank. Smaller but growing campaigns have also been reported in the United States, where Crocodilus disguised itself as crypto wallet tools, mining apps and financial services. These fake apps are often distributed through social media ads or phishing links, targeting Android users who are less likely to question a "legit-looking" financial app. While not yet widespread, the presence of Crocodilus in the U.S. underscores its global reach and rapidly evolving tactics. The Trojan has also been spotted in Spain, where it disguised itself as a browser update, targeting nearly every major Spanish bank. In Turkey, it posed as an online casino app. And the threat doesn't stop there. One of the biggest concerns with Crocodilus is its ability to add fake contacts to your phone, inserting entries like "Bank Support" into your contact list. So, if an attacker calls pretending to be from your bank, your phone may not flag it because it appears to be a trusted number, making social engineering scams much more convincing. The latest version also includes a more advanced seed phrase collector, especially dangerous for cryptocurrency users. Crocodilus monitors your screen and uses pattern matching to detect and extract sensitive data, such as private keys or recovery phrases, all before quietly sending it to the attacker. Crocodilus shows us what the next wave of mobile threats might look like. It uses real ads to get into your phone. It blends into your digital life in ways that feel familiar. It does not need flashy tricks to succeed. It just needs to appear trustworthy. This kind of malware is designed for scale. It targets large groups, works across different regions and updates fast. It can pretend to be a bank, a shopping app or even something harmless like a browser update. The scary part is how normal it all looks. People are not expecting something this malicious to hide inside something that looks like a gift. The creators of Crocodilus understand how people think and act online. They are using that knowledge to build tools that work quietly and effectively. And they are not working alone. This kind of operation likely involves a network of developers, advertisers and distributors all working together. 1. Avoid downloading apps from ads or unknown sources: Crocodilus often spreads through ads on social media platforms like Facebook. These ads promote apps that look like banking tools, e-commerce platforms or even crypto wallets. If you click and install one, you might be unknowingly downloading malware. Always search for apps directly on trusted platforms like the Google Play Store. Do not install anything from random links, especially those shared through ads, messages or unfamiliar websites. 2. Avoid suspicious links and install strong antivirus protection: Crocodilus spreads through deceptive ads and fake app links. These can look like legitimate banking tools, crypto apps or browser updates. Clicking on them may quietly install malware that hijacks your contacts, monitors your screen or steals login credentials. To stay safe, avoid clicking on links from unknown sources, especially those that promise rewards or warn of urgent problems. Installing strong antivirus software on your Android device adds another layer of protection. It can scan downloads, block malicious behavior and warn you about phishing attempts before they become a bigger issue. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 3. Review app permissions carefully before and after installation: Before you install an app, take a moment to look at the permissions it asks for. If a shopping app wants access to your contacts, messages or screen, that is a red flag. After installing, go to your phone settings and double-check what permissions the app actually has. Malware like Crocodilus relies on overreaching permissions to steal data and gain control. If anything seems unnecessary, revoke the access or uninstall the app entirely. 4. Keep your Android device updated at all times: Security patches are released regularly to block known vulnerabilities. Crocodilus is designed to take advantage of outdated systems and bypass newer Android restrictions. By updating your phone and apps regularly, you reduce the chances of malware slipping through. Set your device to install updates automatically when possible and check manually every so often if you are not sure. 5. Consider using a data removal or monitoring service: While not a direct defense against malware, data removal services can help minimize the damage if your information has already been leaked or sold. These services monitor your personal data on the dark web and offer guidance if your credentials have been compromised. In a case like Crocodilus, where malware may harvest and transmit banking info or crypto keys, knowing your data exposure early can help you act before scammers do. Check out my top picks for data removal services here. 6. Turn on Google Play Protect: Google Play Protect is a built-in security feature on Android phones that scans your apps for anything suspicious. To stay protected, make sure it's turned on. You can check this by opening the Play Store, tapping your profile icon and selecting Play Protect. From there, you can see if it's active and run a manual scan of all your installed apps. While it may not catch everything, especially threats from outside the Play Store, it's still an important first layer of defense against harmful apps like Crocodilus. 7. Be skeptical of unfamiliar contacts or urgent messages: One of the newer tricks Crocodilus uses is modifying your contact list. It can add fake entries that look like customer service numbers or bank helplines. So, if you receive a call from "Bank Support," it might not be real. Always verify phone numbers through official websites or documents. The same applies to messages asking for personal details or urgent logins. When in doubt, do not respond or click any links. Contact your bank or service provider directly. Crocodilus is one of the most advanced Android banking Trojans seen so far. It spreads through social media ads, hides inside apps that look real and collects sensitive data like banking passwords and crypto seed phrases. It can also add fake contacts to your phone to trick you during scam calls. If you use Android, avoid downloading apps from links in ads or messages. Only install apps from trusted sources like the Google Play Store. Keep your phone updated, and be careful if something looks too good to be true because it probably is. Who should be held accountable when malware like Crocodilus spreads through platforms like Facebook? Let us know by writing to us at For more of my tech tips anbd security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Follow Kurt on his social channels Answers to the most asked CyberGuy questions: New from Kurt: Copyright 2025 All rights reserved.
Scottish Sun
04-06-2025
- General
- Scottish Sun
Urgent warning to all mobile users as crooks plant FAKE contacts for banks – they can even pretend to be mum and dad
Find out what to do to protect yourself below BREAK THE BANK Urgent warning to all mobile users as crooks plant FAKE contacts for banks – they can even pretend to be mum and dad Click to share on X/Twitter (Opens in new window) Click to share on Facebook (Opens in new window) CRUEL cyber crooks have found a way to add fake contacts onto people's phones in an attempt to gain trust and empty bank accounts. Cyber security experts have warned that the scam is a "truly global threat". Sign up for Scottish Sun newsletter Sign up 1 Experts believe crooks use it to fake being bank support callers Credit: Getty The latest danger leads victims to believe they're being called by a trusted person such as their bank, when actually it's the scammers behind it. This means a "bank support" contact will appear on screen, leading targets to believe it's safe. In doing so, bad actors can pretend to be your bank and dupe you into giving access to your account. Technically, they could masquerade as anyone, such as loved ones or friends. Read more about Android FAT THUMBS Android owners warned of new Google Play Store apps that could cost you £5,000 It's all part of an evolved Android malware campaign known as Crocodilus. Hackers can only modify contact lists of those infected by it. "We believe the intent is to add a phone number under a convincing name such as 'Bank Support', allowing the attacker to call the victim while appearing legitimate," experts at Threat Fabric warned. "This could also bypass fraud prevention measures that flag unknown numbers." The cyber security firm first uncovered Crocodilus targeting people in Turkey in March. But now the company claims it has spread to other countries across the globe. Three little-known ways 'unknown tracker alerts' on Android can keep you safe "With newly added features, Crocodilus is now more adept at harvesting sensitive information and evading detection," Threat Fabric continues. "Notably, its campaigns are no longer regionally confined; the malware has extended its reach to new geographical areas, underscoring its transition into a truly global threat. "This shift not only broadens the potential impact but also suggests a more organised and adaptive threat actor behind its deployment. "As Crocodilus continues to evolve, organisations and users alike must stay vigilant and adopt proactive security measures to mitigate the risks posed by this increasingly sophisticated malware." How to stay safe As ever, money-grabbing malware of this kind usually comes from apps downloaded outside of the Google Play Store. So it's best to stick to apps from the official platform. It's also important to ensure you have Play Protect switched on as this will help pick up on suspicious activity.
