Attacks involved luring targets into downloading five apps on the Google Play Store with more than 100,000 total installations, which were later updated to become droppers for the Anatsa trojan, according to a ThreatFabric report. All apps were also discovered to have exploited Accessibility Services only for Samsung devices, averted all restricted settings in Android 13, and concealed malicious activity through a multi-stage approach. "These actors prefer concentrated attacks on specific regions rather than a global spread, periodically shifting their focus. This targeted approach enables them to concentrate on a limited number of financial organizations, leading to a high number of fraud cases in a short time," said ThreatFabric.