byApurva Venkat
Special Correspondent
News
Jun 27, 20234 mins
Android SecurityMalware
The threat actors are distributing their malware via the Play Store, and already had over 30,000 installations as of March.
Credit: Google/JR Raphael
An ongoing malware campaign has been pushing the Android banking Trojan, Anatsa, to online banking customers in the US, the UK, Germany, Austria, and Switzerland, according to research by cybersecurity firm ThreatFabric.
The threat actors are distributing their malware via the Play Store, and already had over 30,000 installations as of March. The focus of the ongoing campaign is banks from US, UK, and DACH, while the target list of the malware contains almost 600 financial applications from all over the world, ThreatFabric said in its research.
“ThreatFabric is aware of multiple confirmed fraud cases, with confirmed losses caused by Anatsa, due to the Trojan’s very advanced device takeover capabilities, which are able to bypass a wide array of existing fraud control mechanisms,” ThreatFabric said.
Multiple droppers on Google Play in four months
In March, the threat actors launched a new malvertising campaign that would entice victims to download Anatsa dropper apps from Google Play. Researchers identified the dropper application on the Google Play Store used to deliver Anatsa on infected devices, posing as a PDF-reader application.
“Once installed, such an application would make a request to a page hosted on GitHub, where the dropper would get the URL to download the payload (also hosted on GitHub). The payloads would masquerade as an add-on to the original application (similar to what we have seen in previous campaigns),” ThreatFabric said.
Shortly after the researchers reported this dropper to Google, it was removed from the store. However, within a month the actors published another dropper, posing as a PDF viewer.
“It was the continuation of the same campaign, as the payloads used in it were the same, still masquerading as an add-on,” ThreatFabric said. Google also removed this dropper. However, the attackers soon appeared back with a new dropper.
The same was repeated twice. Another dropper appeared within a month after the previous one was removed. Researchers discovered three more droppers in May and June.
“We want to highlight the speed with which the actors return with a new dropper after the previous one is removed: it takes anywhere from a couple of days to a couple of weeks to publish a new dropper application on the store,” ThreatFabric said, adding that at the time of writing, a new Anatsa dropper was discovered, and it is still online.
Every dropper was updated sometime after the publication date, indicating that the threat actor is adding malicious functionality.
Threat actors start with the distribution phase where the payload is delivered through malicious apps on Google Play Store. Victims are routed there through advertisem*nts, which look less suspicious to them as they lead to the official store.
Once the device is infected, Anatsa can collect sensitive information such as credentials, credit card details, balance, and payment information via overlay attacks and keylogging.
“Anatsa provides them with the capability to perform Device-Takeover Fraud (DTO), which then leads to performing actions (transactions) on the victim’s behalf,” ThreatFabric said.
New targets and focus on financial institutions
Anatsa’s activity was first discovered in 2020. There have been multiple changes in the actor’s areas of interest over the years, with continuous updates to its target list.
“This campaign is no exception: we see a strong shift towards targeting banking institutions in the DACH region, specifically in Germany,” ThreatFabric said. The company’s researchers observed three new German banking applications added to Anatsa’s overlay target list during the current campaign.
The list of targeted applications included more than 90 new targeted applications compared to last year in August. The updated list included targets from Germany, Spain, Finland, South Korea, and Singapore.
“While the droppers are not distributed in all of these countries, it definitely reveals plans to target those regions,” ThreatFabric said.
Related content
- brandpostSponsored by SophosStudy: Cybersecurity burnout impacts 88% of cybersecurity and IT roles in Singapore. What can you do as an MSP to help? A staggering 38% of cybersecurity staff in Singapore have resigned from their jobs due to sheer exhaustion – here’s what you can do to help your customers with this problem.BySophosMar 24, 20243 minsCyberattacksSecurity
- news analysisExploit available for critical flaw in FortiClient Server The proof-of-concept exploit is easy to execute, and could foretell wider targeting of the Fortinet vulnerability by attackers.ByLucian ConstantinMar 22, 20243 minsCyberattacksNetwork SecurityVulnerabilities
- newsFBI and CISA warn government systems against increased DDoS attacks The advisory describes the critical DDoS tactics, with recommendations to defend against such attacks.ByShweta SharmaMar 22, 20244 minsDDoS
- newsTop cybersecurity product news of the week New product and service announcements from IONIX, ConductorOne, Redjack, Sonatype, Portnox and Kasada.ByCSO staffMar 22, 202467 minsGenerative AISecurity
- PODCASTS
- VIDEOS
- RESOURCES
- EVENTS
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
