Android users in at least five countries have been targeted with the Anatsa banking trojan via malicious droppers uploaded to Google Play, threat detection firm ThreatFabric reports.
The identified droppers, which amassed over 30,000 installs via the application store, were designed to make a request to a GitHub page to fetch a URL that would download the final payload, also from GitHub.
The first dropper was discovered in March 2023, posing as a PDF reader application, with the trojan posing as an addon for it.
Google removed the malicious application shortly after being notified, but a second dropper, also posing as a PDF reader and employing the same infection chain, emerged one month later.
After this malicious application was removed, another dropper (also PDF reader) emerged within one month, with two others (both document readers) identified in May and June. In fact, ThreatFabric says, the most recent dropper is still available for download in Google Play.
According to the security firm, each of the identified droppers received an update at one point in time, likely to add malicious functionality to it.
“Our analysis also reveals that the actors can have several apps published in the store at the same time under different developer accounts, however, only one is acting as malicious, while the other is a backup to be used after takedown,” ThreatFabric notes.
The ongoing campaign targets banks from US, UK, Germany, Austria, and Switzerland, but the Anatsa trojan’s target list contains over 600 mobile banking applications worldwide.
Users were drawn to the malicious applications via advertisements directing them to Google Play, which likely created a false sense of security.
Using overlays, the malware can steal sensitive information such as credentials, credit card data, and balance and payment information, which threat actors then use to initiate fraudulent transactions, via device-takeover fraud (DTO).
“Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it is very challenging for banking anti-fraud systems to detect them,” ThreatFabic notes.
The security firm, which has been monitoring Anatsa since 2020, also discovered that trojan iterations used in this campaign can target more than 90 new mobile banking applications from Finland, Germany, Singapore, Spain, and South Korea.
“While the droppers are not distributed in all of these countries, it definitely reveals plans to target those regions,” ThreatFabric notes.
Related: New Android Trojans Infected Many Devices in Asia via Google Play, Phishing
Related: ‘Nexus’ Android Trojan Targets 450 Financial Applications
Related: ‘Schoolyard Bully’ Android Trojan Targeted Facebook Credentials of 300,000 Users
More from Ionut Arghire
- Generative AI Startup Nexusflow Raises $10.6 Million
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
- Cloudflare Users Exposed to Attacks Launched From Within Cloudflare: Researchers
- FBI Warns Organizations of Dual Ransomware, Wiper Attacks
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
Latest News
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
- National Security Agency is Starting an Artificial Intelligence Security Center
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- Hackers Set Sights on Apache NiFi Flaw That Exposes Many Organizations to Attacks
