Attackers using the notorious banking Trojan Anatsa have launched a new campaign targeting banks in the US, UK and DACH regions (Germany, Austria and Switzerland).
According to a new ThreatFabric blog post, the ongoing campaign will begin around March 2023 and has seen over 30,000 malware installations so far.
Security experts highlighted Anatsa’s advanced features, especially its Device Takeover Fraud (DTO) feature, which allows it to bypass various fraud control mechanisms employed by financial institutions.
At a more basic level, the main purpose of this Trojan is to steal credentials used by mobile banking applications and initiate fraudulent transactions.
Distribution of Anatsa is done through a dropper application hosted on the Google Play Store. These droppers masquerade as legitimate applications such as PDF readers to trick users. ThreatFabric analysts have observed a rapid release of droppers, with new droppers appearing shortly after previous droppers have been removed from the store.
For dropper details, the Lancefly APT custom backdoor targets government agencies and the aviation sector.
Once infected, Anatsa gathers sensitive information through overlay attacks and keylogging to compromise credentials, credit card details, and other payment-related data.
Anatsa has previously targeted various geographies, but this campaign shows a particular focus on the DACH region, specifically Germany.
Additionally, ThreatFabric said the threat actor behind Anatsa has updated its target list to add nearly 600 financial applications worldwide.
The security firm added that the latest Anatsa attack is a stark reminder of the evolving threat landscape facing banks and financial institutions in the digital age.
“Recent Google Play Store distribution campaigns targeting the US, DACH and UK regions demonstrate the immense potential of mobile fraud and the need to be proactive to combat such threats.” It’s written in the blog post.
The disclosure comes months after Clafy security researchers discovered a new Android banking Trojan in several malicious campaigns around the world.
