Since early March 2023, we have observed a new Android malware campaign pushing the Anatsa banking Trojan targeting banking customers in the US, UK, Germany, Austria, and Switzerland.
“The attackers behind Anatsa aim to steal credentials used to authenticate customers in mobile banking applications and perform device takeover fraud (DTO) to initiate fraudulent transactions,” ThreatFabric said. said in an analysis published Monday.
A Dutch cybersecurity firm said that more than 30,000 Anatsa-infected Google Play store dropper apps have been installed so far, making official app storefronts an effective distribution vector for the malware. rice field.
Anatsa, also known as TeaBot and Toddler, first appeared in early 2021, siphoning users off in the guise of seemingly harmless utility apps such as PDF readers, QR code scanners, and Google Play’s two-factor authentication (2FA) apps. It has been observed that there are ‘ Qualifications. Since then, it has become one of his most prolific banking malware, targeting more than 400 of his financial institutions worldwide.
The Trojan has data-stealing backdoor-like functionality and also exploits permissions to Android’s Accessibility Service APIs to perform overlay attacks to steal credentials and activity logs. Additionally, it can bypass existing anti-fraud mechanisms and carry out fraudulent fund transfers.
“Because the transaction is initiated from the same device that the targeted bank’s customer regularly uses, it is reportedly very difficult for the bank’s anti-fraud systems to detect it. ,” ThreatFabric pointed out.
In the latest campaign observed by ThreatFabric, once the dropper app is installed, it makes a request to a GitHub page pointing to another GitHub URL hosting a malicious payload to trick victims into pretending to be an add-on to the app. is intended for It is suspected that users are directed to these apps through sketchy advertisements.
A notable feature of this dropper is its use of the restricted “REQUEST_INSTALL_PACKAGES” privilege. This privilege has been repeatedly abused by rogue apps distributed via the Google Play Store to install additional malware on infected devices. The name of the app is:
- All Document Readers and Editors (com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs)
- All Document Reader and Viewer (com.muchlensoka.pdfcreator)
- PDF Reader – Edit & View PDF (lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools)
- PDF Reader and Editor (com.proderstarler.pdfsignature)
- PDF reader and editor (moh.filemanagerrespdf)
All five dropper apps in question are said to have been updated since their initial publication, presumably in an attempt to steal malicious functionality after the apps went through the review process upon initial submission. You can
The list of top countries of interest to Anatsa based on the number of financial applications covered includes the United States, Italy, Germany, United Kingdom, France, UAE, Switzerland, South Korea, Australia and Sweden. Finland, Singapore and Spain are also included in the list.
“Anatsa’s latest campaign reveals the evolving threat landscape facing banks and financial institutions in today’s digital world,” said ThreatFabric. “Recent Google Play Store Distribution Campaign” […] It demonstrates the immense potential of mobile fraud and the need for proactive measures to combat such threats. “
