Latest news with #PlayProtect
Arabian Post
09-07-2025
- Business
- Arabian Post
Anatsa Trojans Strike U.S. and Canadian Mobile Bankers
Security analysts have uncovered a new campaign delivering the Anatsa Android banking trojan to users in the U. S. and Canada via a seemingly legitimate app on Google Play. This marks the third major wave of North American targeting by the threat actor, raising fresh concerns around mobile banking security. The malicious app, masked as a 'Document Viewer – File Reader,' gained traction in the U. S. top‑three list for free tools before being weaponised roughly six weeks after its initial May release. Downloads reached at least 50,000 before Google removed the app in early July. Anatsa's operators employ a proven two‑stage infiltration tactic: a benign‑looking utility app is first published, allowed to amass users, then updated to include a dropper that silently installs the trojan. Once deployed, Anatsa connects to a command‑and‑control server to retrieve configuration files listing targeted banking apps. The malware is capable of credential harvesting through keystroke logging and overlay screens, and can perform automated device‑takeover fraud. A newly identified overlay message reads, 'Scheduled Maintenance … enhancing our services,' blocking customer access to banking apps and delaying detection. ADVERTISEMENT This campaign is noteworthy for its expanded U. S. bank target list. ThreatFabric has confirmed the inclusion of major institutions such as JPMorgan, Capital One, TD Bank and Charles Schwab in the trojan's hit‑list. Analysts warn that Anatsa's operators are evolving their methods. Cequence CISO Randolph Barr anticipates future variants may use 'AI‑personalised overlays' to bypass multi‑factor authentication or employ real‑time modular payloads loaded post‑installation. This campaign parallels earlier Anatsa outbreaks: one in mid‑2024 affected around 70,000 users in Europe by mimicking QR code and PDF reader apps, and June 2023 saw North American infections of approximately 30,000. Google has removed the fraudulent app and Play Protect has flagged similar threats. Users are urged to uninstall the Document Viewer–style app, run full scans via Play Protect, and reset any banking credentials. Experts recommend cautious scrutiny of app permissions, developer credentials, and user reviews—even for apps from official stores. Financial institutions are advised to intensify monitoring of anomalous login activity and deploy alerts for account takeover patterns. Mobile banking continues to lure sophisticated trojans like Anatsa. As its operators refine their techniques and broaden geographic targeting, both end users and institutions face growing responsibility to defend against a landscape where even official marketplaces are not fool‑proof.
Forbes
08-07-2025
- Forbes
If This App Is Installed On Your Smartphone, Delete It Now
Delete this app today. 'Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform,' Google says. Maybe so. But a malicious threat that has been flagged many times in the past has just been found on Play Store again, attacking thousands of Android phones and putting users at risk. This should not happen. But it does. Even with some of the most prolific threats targeting Android users. As is the case this time around with Anatsa, a banking trojan that hijacks apps on your phone to steal your credentials and then your money. If your phone is infected with this malware, when you open your banking app you'll see an overlay screen telling you the app is down for schedule maintenance. But this fake overlay simply obscures the app as it is being attacked in the background. The developers behind the malware publish legitimate apps on Play Store and leave them alone while they garner downloads and (real or fake) reviews. Then the app is updated with the malware onboard. At that point the attacks start. Delete this app immediately. The latest warning comes courtesy of ThreatFabric, which has been tracking Anatsa for years. The app you need to delete if it's installed on your phone is 'Document Viewer — File Reader,' the exact type of free app from unknown sources you should avoid. ThreatFabric 'has been monitoring Anatsa's activity since 2020 and recognizes the group as one of the most prolific operators in the mobile crimeware landscape. Their campaigns have consistently demonstrated a high level of success.' The latest iteration of Anatsa has targeted users in North America, securing tens of thousands of installs. Anatsa returns repeatedly with these same tactics. Enabling Play Protect is critical, but also take care as to the number of free apps you install. Just days ago, we saw a warning from Satori as hundreds of apps were also found on Play Store attacking phones, in that instance with adware. Anatsa is more dangerous, but the advice to stay safe is broadly the same. If you do have the app installed, then check your accounts and change your passwords to be safe. Google has deleted the app from Play Store and will have updated Play Protect. But you need to delete it from your phone as well.
Android Authority
08-07-2025
- Android Authority
Google could soon protect your Android device from dangerous PWAs and WebAPKs (APK teardown)
Aamir Siddiqui / Android Authority TL;DR Google could soon extend Play Protect to scan PWAs and WebAPKs during installation. This new feature could protect users from malicious PWAs used for phishing and data theft. Google has been silently protecting most Android devices through Google Play Protect, scanning the apps that users have installed, and warning them of nefarious ones. While platform-native apps remain the most popular method to access a service, Progressive Web Apps (PWAs) remain a good web-centric alternative. Unfortunately, bad actors will exploit any medium they can lay their hands on, and it becomes imperative for Google to protect its user base. We've now spotted code that suggests that Google Play Protect will start scanning Progressive Web Apps during installation to check for security issues, adding one more layer of security for users. Authority Insights story on Android Authority. Discover You're reading anstory on Android Authority. Discover Authority Insights for more exclusive reports, app teardowns, leaks, and in-depth tech coverage you won't find anywhere else. An APK teardown helps predict features that may arrive on a service in the future based on work-in-progress code. However, it is possible that such predicted features may not make it to a public release. Google Play Store v46.9.20-31 includes the following code: Code Copy Text PlayProtect__enable_gpp_install_verification_for_pwa Here, PWA refers to Progressive Web Apps. The flag would enable Play Protect to verify the PWAs during their installation. Yes, PWAs can be installed on a device, usually through an 'Add to Home screen' button from the browser app. If you do this through Chrome on Android, you get a WebAPK, which gives the PWA a space in your app drawer (in addition to the space on the home screen) and integrates it more deeply into the Android system than a regular PWA. We also spotted code bits hinting at WebAPK scanning: AssembleDebug / Android Authority While the code mentions scanning PWAs and WebAPKs, it doesn't explain why Google would want to do so. There have been reports of malicious actors using PWAs and WebAPKs to phish and steal user information, so it's possible that Google could be aiming to protect its users from such phishing attempts by proactively warning them whenever a bad PWA or WebAPK is installed. There are plenty of other questions to answer, like how PWA and WebAPK scanning would work if this does roll out. For usual apps distributed through the Play Store, Google already has an extensive database of apps against which it can check for tampering and other threats through Play Protect. Such a database is difficult to envisage for the entirety of the PWA universe, so we're curious to know how Google plans to approach this if it goes ahead. PWA and WebAPK scanning are not currently available in Play Protect, and Google has not announced the feature either. We'll update you when we learn more. Got a tip? Talk to us! Email our staff at Email our staff at news@ . You can stay anonymous or get credit for the info, it's your choice.
India Today
03-07-2025
- India Today
Stealth app Catwatchful caught spying on thousands of phones, leak reveals emails, passwords and its own admin
A stealth app called Catwatchful has allegedly been caught in its own trap after a major security flaw exposed sensitive data of both its users and victims. The app, which disguises itself as a child-monitoring tool, has been silently stealing data from thousands of Android phones – including photos, messages, location details, and even live audio from microphones and cameras. But a newly discovered vulnerability has turned the tables. advertisementCanadian security researcher Eric Daigle found that Catwatchful's database was completely exposed online due to a misconfigured, unauthenticated API. This meant that anyone could access sensitive data, including the email addresses and plain-text passwords of over 62,000 customers, along with private phone data from more than 26,000 victims. The majority of affected devices were located in countries like India, Mexico, Colombia, Peru, Argentina, Ecuador, and Bolivia. The exposed data includes records stretching back as early as 2018. In a blog post, Daigle explained that Catwatchful operates by being manually installed on a victim's device by someone with physical access – often a romantic partner or family member – making it a form of stalkerware. Daigle's investigation also revealed that Catwatchful used Google Firebase to host stolen data, like users' photos and real-time audio recordings. Upon being alerted, Google said it had added Catwatchful to its Play Protect tool to warn Android users of the spyware. advertisementThe breach didn't just expose victims, it also revealed the identity of Catwatchful's operator. The developer behind the spyware was identified as Omar Soca Charcov, a software engineer residing in Uruguay, according to a report by TechCrunch. Charcov's details, including his personal email, phone number, and even the Firebase web address used to store stolen data, were found in the database. Charcov's LinkedIn profile used the same email address found in the spyware data, as per the report. He reportedly also linked his personal email account to the administrator account for Catwatchful, making it easy to trace him as the operator. Following the discovery, Daigle informed the hosting provider for Catwatchful's API, which briefly suspended the spyware's services. However, the API later returned via HostGator. Google is apparently reviewing whether Catwatchful violated its Firebase terms, but at the time of writing the story, the app's database remains online.- Ends
Scottish Sun
22-06-2025
- Scottish Sun
Urgent warning over new mobile attack that allows hackers to see INSIDE your banking app and hijack your accounts
A new malware allows criminals to hack into your device HACK ATTACK Urgent warning over new mobile attack that allows hackers to see INSIDE your banking app and hijack your accounts Click to share on X/Twitter (Opens in new window) Click to share on Facebook (Opens in new window) AN URGENT warning has been issued over a new mobile attack that allows hackers to hijack your bank accounts. A dangerous new version of malware, or malicious software, allows criminals to see inside your banking apps and steal your money. Sign up for Scottish Sun newsletter Sign up 1 A new version malware allows criminals to hack into your banking apps Credit: Getty The new Android "Godfather" malware creates an isolated virtual environment on mobile devices, according to BleepingComputer. Hackers can then steal your account data and transactions from legitimate banking apps. Malicious apps are executed inside the controlled virtual environment enabling real-time spying, credential theft and transaction manipulation. This can all happen when you're none the wiser as it maintains perfect visual deception. The tactic is similar to the FjordPhantom malware seen in 2023 but experts warn that the Godfather is much broader in scope. It targets over 500 banking, cryptocurrency and e-commerce apps worldwide. Zimperium, a world leader in mobile security, say that the level of deception is very high. The user is able to see the real app but the Android protections don't pick up the malicious operation underway. Once active on the device, the malware checks for installed target apps and places them inside its virtual environment. The malware tricks Android into thinking that a legitimate app is being run while actually intercepting and controlling it. A victim will launch their banking app and see the real app interface but all of their sensitive data can easily be hijacked. The Godfather malware can then record account credentials, passwords, PINS and capture responses from your bank. This is because the malware tricks the victim by displaying a fake lock screen to trick them into entering their passwords and PIN numbers. Once criminals have harvested that data, they can then trigger payments inside the real banking app. Huge Global Data Breach: 16 Billion Accounts at Risk The victim might see a fake "update" screen or a black screen to evade suspicion. The Godfather malware was first discovered in March 2021 and has seen a significant evolution. In December 2022, analysts found that it could target over 400 apps over 16 countries. Although the campaign analysts spotted only targets a dozen Turkish banking apps, Godfather operators could opt to target over 500 apps worldwide. To protect yourself it's advised that you only download apps from Google Play or from app publishers you trust. Android users should also ensure that Play Protect is active and pay attention to the requested permissions.
