A mobile malware campaign targeting banking apps has been observed targeting users in the U.S., U.S. and Central Europe.
Dubbed “Anatsa” by researchers at ThreatFabric B.V., the banking Trojan is distributed through malicious apps in the Google Play Store and is estimated to have had over 30,000 installs since March. Anatsa has advanced device-takeover capabilities that can circumvent existing fraud control mechanisms.
The malware is said to have been active since 2020 but has shifted focus over the years, with the current campaign targeting banking apps, particularly in Germany. According to the researchers, Anatsa’s target list includes almost 600 financial applications worldwide, with the malware stealing customers’ mobile banking application credentials to initiate fraudulent transactions.
Once installed, Anatsa makes a request to a page hosted on GitHub, where the dropper obtains a URL to download the payload – also hosted on GitHub. The payloads masquerade as an add-on to the original application.
After first detecting the campaign in March, the ThreatFabric researchers reported it to Google and it was removed from the Play Store. However, a month later, those behind Anatsa returned with a new app posing as a PDF viewer, with the malware masquerading as an add-on.
The researchers note that the choice of disguise for these malicious applications observed confirms the trend we see for droppers on Google Play – droppers tend to impersonate file-management-related applications.
The new app was reported to Google again and removed, but in the ultimate game of whack-a-mole, every time the apps were removed, new apps appeared. The researchers note that the speed at which the actors return with a new dropper after the previous one is removed is notable in itself, given that the coding can take anywhere from a few days and several weeks.
“It is crucial for companies to remain vigilant regarding the ever-evolving capabilities of attackers who constantly innovate their methodologies,” Pedro Fortuna, chief technology officer and co-founder of JaveScript protection company Jscrambler S.A., told SliconANGLE. “Similarly, users must exercise caution when downloading apps from stores and should not assume that if an app is available in the store, it is inherently safe—an assumption that is not always accurate.”
“In the case of the Anatsa Banking Trojan, the objective is credential theft, but a malicious app installed on your phone can go beyond that and cause significant harm,” Fortuna added.
Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., similarly warned that banking trojans are not only dangerous as they steal credentials and use them to empty bank accounts but due to password reuse across different websites, stolen credentials can also be used in credential stuffing attacks that can be used to gain access to other websites and services as well.
Images: ThreatFabric
Your vote of support is important to us and it helps us keep the content FREE.
One-click below supports our mission to provide free, deep and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
THANK YOU