HQ/EMEAFind out how we can help your business
The new Anatsa banking trojan is a mobile malware campaign that started last March. This new Android banking trojan targets online banking customers in the UK, Austria, Germany, Switzerland, and the United States.
The research group that tracks the malicious activity stated that the attackers are spreading the malware through Play Store and other Android official app stores. Moreover, these malicious applications have gathered about 30,000 installations from the official platforms.
The Anatsa banking trojan has started infecting victims via dropper apps.
Based on reports, the threat actors launched a malvertising campaign last month that resulted in unknowing victims downloading the Anatsa banking trojan from Google Play. The malicious application remained in the office and productivity category in the official app store after posing as a PDF viewer, editor app, and office suite.
Whenever the researchers report the compromised app to Google and remove it from the store, the malware developers upload a new dropper under a new name or tool.
The researchers also explained that the attackers submit clean forms to release the apps and only deploy malicious code in later updates to bypass Google’s strict code review process. Next, the dropper application requests an external resource hosted on GitHub once installed on the victim’s device.
The unsuspecting users could then download the Anatsa payloads disguised as text recogniser add-ons for Adobe Illustrator.
After this instance, the Anatsa payload could harvest financial information, such as bank account credentials, payment transactions, and credit card details, by overlaying phishing pages in the foreground when the user tries to launch their legitimate bank applications.
The current version of the Anatsa trojan could support targeting about 600 financial apps of banking institutions worldwide. These harvested details could allow Anatsa to execute on-device fraud by running the banking app and performing transactions on the victim’s behalf, automating the money-stealing process for the attackers.
Lastly, the attack ends in converting the stolen amounts to crypto and passes through an extensive money laundering network in the targeted countries. Android users that use financial apps in the earlier-mentioned countries should be vigilant in downloading sketchy applications.
