Android users in at least five countries have been targeted with the Anatsa banking trojan via malicious droppers uploaded to Google Play, threat detection firm ThreatFabric reports.
The identified droppers, which amassed over 30,000 installs via the application store, were designed to make a request to a GitHub page to fetch a URL that would download the final payload, also from GitHub.
The first dropper was discovered in March 2023, posing as a PDF reader application, with the trojan posing as an addon for it.
Google removed the malicious application shortly after being notified, but a second dropper, also posing as a PDF reader and employing the same infection chain, emerged one month later.
After this malicious application was removed, another dropper (also PDF reader) emerged within one month, with two others (both document readers) identified in May and June. In fact, ThreatFabric says, the most recent dropper is still available for download in Google Play.
According to the security firm, each of the identified droppers received an update at one point in time, likely to add malicious functionality to it.
“Our analysis also reveals that the actors can have several apps published in the store at the same time under different developer accounts, however, only one is acting as malicious, while the other is a backup to be used after takedown,” ThreatFabric notes.
The ongoing campaign targets banks from US, UK, Germany, Austria, and Switzerland, but the Anatsa trojan’s target list contains over 600 mobile banking applications worldwide.
Users were drawn to the malicious applications via advertisements directing them to Google Play, which likely created a false sense of security.
Using overlays, the malware can steal sensitive information such as credentials, credit card data, and balance and payment information, which threat actors then use to initiate fraudulent transactions, via device-takeover fraud (DTO).
“Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it is very challenging for banking anti-fraud systems to detect them,” ThreatFabic notes.
The security firm, which has been monitoring Anatsa since 2020, also discovered that trojan iterations used in this campaign can target more than 90 new mobile banking applications from Finland, Germany, Singapore, Spain, and South Korea.
“While the droppers are not distributed in all of these countries, it definitely reveals plans to target those regions,” ThreatFabric notes.