A new mobile malware campaign Anatsa Android Trojan steals bank details from online banking customers in the US, UK, Germany, Austria and Switzerland. According to ThreatFabric security researchers, the attackers are spreading their malware through the Play Store and have more than 30,000 installations through this method alone.
ThreatFabric discovered a previous Anatsa campaign on Google Play in November 2021, when the trojan was installed more than 300,000 times by posing as PDF scanners, QR code scanners, Adobe Illustrator apps, and fitness tracker apps.
Look after! Anatsa Android Trojan is now stealing banking information
In March 2023, after a six-month hiatus in malware distribution, the attackers launched a new campaign that tricked potential victims into downloading Anatsa dropper apps from Google Play. The malicious apps still belong to the office/productivity category and masquerade as PDF viewer and editor apps and office suites.
See also: NSA shares tips to defend against BlackLotus UEFI malware attacks
Whenever ThreatFabric reported the malicious app to Google and it was removed from the store. The attackers quickly bounced back by uploading a new dropper under a new mask.
Once installed on the victim’s device, the dropper apps request an external source hosted on GitHub from where they download the Anatsa payloads disguised as text recognizer add-ons for Adobe Illustrator.
Anatsa collects financial information such as bank account information, credit card information, payment information, etc.
In its current version, the Anatsa trojan supports nearly 600 financial apps from banking institutions around the world.
The stolen amounts are converted into cryptocurrency. It passed through an extensive network of money mules in the targeted countries. They keep part of the stolen money as a revenue share and send the rest to the attackers.
As malware campaigns, such as Anatsa, expand their targeting to other countries. So users should be better warned when installing any app on Android devices. Users should avoid installing apps from dubious publishers. In addition, if possible, avoid apps with few installs and ratings and instead install apps that are well known and often quoted on websites.
See also: Trojanized Super Mario Bros Game spreads serious malware