Google Play found a QR code scanner that steals banking application data
Miscellaneous / / November 30, 2021
Clients of Sber, Tinkoff, VTB and Raiffeisen could suffer from it.
ThreatFactor cybersecurity company experts published a large report on the distribution of banking Trojans on Android smartphones through the Google Play store. One of the most dangerous malware was called Anatsa, which is widespread in Russia.
According to experts, Anatsa is a fairly advanced Trojan that can execute classic overlay attacks to steal credentials, capture information from the screen and intercept all entered user data.
Anatsa was distributed via applications available on Google Play to scan documents or QR codes. Thus, the Free QR Code Scanner program from the publisher QrBarBode LDC, which contains the so-called dropper for downloading a trojan, has been downloaded more than 50,000 times (already removed). In total, Anatsa applications have been downloaded over 100,000 times.
Initially, these applications look harmless and perform all their functions, but after a while they offer to download an update, with which the Trojan arrives on the device. Its type is selected taking into account the smartphone model, Android version and region.
Among the Russian banks, whose data could have been stolen by the Anatsa Trojan, ThreatFactor singled out Sberbank, OTP-Bank, Pochta-Bank, Tinkoff, Uralsib, VTB, and Raiffeisen.