Official forum for Utopia Community
You are not logged in.
Since the beginning of March 2023, a new Android malware campaign has been seen pushing the Anatsa banking trojan to target banking customers in the US, UK, Germany, Austria, and Switzerland.
According to an analysis by ThreatFabric released on Monday, "the actors behind Anatsa aim to steal credentials used to authorize users in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions.".
The official app storefront has turned into an efficient means of spreading the malware, according to the Dutch cybersecurity firm, which claimed that dropper apps for the Google Play Store that have been infected with Anatsa have amassed over 30,000 installations to date.
Banking Trojan named Anatsa.
Anatsa, also known as TeaBot and Toddler, first surfaced in early 2021. It has been noted using two-factor authentication (2FA) apps on Google Play, PDF readers, QR code scanners, and other seemingly innocent utility apps to steal users' credentials. Over 400 financial institutions worldwide are now being targeted by it, making it one of the most widespread banking malware.
The trojan performs overlay attacks to steal credentials, log activities, and perform backdoor-like functions to steal data by abusing its permissions to the Android accessibility services API. It can also get around current fraud prevention measures to make unauthorized fund transfers.
It has been reported that banking anti-fraud systems find it difficult to identify these transactions because they are started from the same device that the targeted bank customers frequently use, according to ThreatFabric.
In the most recent campaign that ThreatFabric has noticed, the dropper app, once installed, sends a request to a GitHub page that directs to another GitHub URL hosting the malicious payload, which tries to trick victims by disguising themselves as app add-ons. Users may find these apps through dubious advertisements, according to speculation.
The Anatsa Banking Trojan.
The use of the restricted "REQUEST_INSTALL_PACKAGES" permission by the dropper, which has frequently been exploited by rogue apps distributed through the Google Play Store to install additional malware on the infected device, is notable. The apps are listed below with their names.
All Document Reader & Editor (com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs)
All Document Reader and Viewer (com.muchlensoka.pdfcreator)
PDF Reader - Edit & View PDF (lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools)
PDF Reader & Editor (com.proderstarler.pdfsignature)
PDF Reader & Editor (moh.filemanagerrespdf)
All five of the aforementioned dropper apps are reported to have undergone updates since their initial release, most likely in a covert effort to obfuscate the malicious functionality after passing the initial app review process.
The US, Italy, Germany, the UK, France, the UAE, Switzerland, South Korea, Australia, and Sweden are among the top nations that Anatsa is interested in, according to the volume of financial applications targeted there. Finland, Singapore, and Spain are also on the list.
ThreatFabric stated that "the latest campaign by Anatsa reveals the evolving threat landscape that banks and financial institutions face in today's digital world.". "The most recent Google Play Store distribution campaigns [. ] highlight the enormous potential for mobile fraud and the demand for preventative measures to deal with such threats. ".
Offline