In a relentless mobile malware campaign, that initially emerged in March 2023, a dangerous Android banking trojan known as Anatsa, has been targeting online banking customers across the United Kingdom, the United States, Germany, Austria, and Switzerland.
The attackers behind Anatsa have been distributing their malware through the Google Play Store, Android's official app store, accumulating over 30,000 installations through this method alone since March 2023.
Initially surfacing in early 2021, Anatsa, also referred to as TeaBot and Toddler, has strategically disguised itself as seemingly harmless utility applications such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps within the Google Play Store. This trojan was installed over 300,000 times by unsuspecting users in the previous campaign.
By adopting this deceptive approach, the malware cunningly extracts users' credentials without raising suspicion. Since it emerged, Anatsa has gained notoriety as one of the most prolific banking malwares, setting its sights on nearly 600 financial institutions worldwide.
The trojan exhibits backdoor-like functionalities, enabling it to illicitly extract data while executing overlay attacks to pilfer credentials. Exploiting Android's accessibility services API through its granted permissions, the trojan also logs user activities. It possesses the capability to bypass existing fraud control mechanisms, enabling unauthorised fund transfers.
Looking at the latest Anasta campaign
After six months of seemingly no activity in malware distribution, the threat actors released a new campaign that leads victims to download Anatsa dropper apps from Google Play.
Persistently masquerading as office/productivity tools, the apps continue to cunningly disguise themselves as PDF viewer and editor applications, as well as comprehensive office suites.
Previously, upon receiving reports, Google swiftly removed the app from its store, prompting a quick response from the attackers who retaliated by uploading a new dropper masked under a different name.
In each of the five instances involving the identified malware droppers, the apps were initially submitted to Google Play in an innocent state. However, they later underwent updates to incorporate malicious code, presumably to avoid Google's rigorous code review process during the initial submission.
Upon successful installation on the target device, the dropper apps prompt a request to access an external resource hosted on GitHub. From this source, they proceed to download Anatsa payloads disguised as seemingly harmless text recogniser add-ons designed for Adobe Illustrator.
Anatsa, through the utilisation of overlaying phishing pages and keylogging techniques, gathers crucial financial data encompassing bank account credentials, credit card information, payment details, and more. Presently, the Anatsa trojan has expanded its capabilities, enabling it to target an extensive range of approximately 600 financial applications affiliated with banks worldwide.
Leveraging the pilfered information, Anatsa orchestrates on-device fraudulent activities by initiating the victim's banking app and conducting transactions on their behalf. This automated process streamlines the money-stealing endeavours for the trojan's operators.
After acquiring the stolen funds, Anatsa proceeds to convert them into cryptocurrency. Subsequently, an intricate network of money mules, strategically located within the targeted countries, facilitates the transfer of these funds. These intermediaries retain a portion of the pilfered amount as a revenue share, while the remaining funds are dispatched to the attackers.
Staying safe and remaining vigilant
To minimise risks, it is advisable to steer clear of apps developed by dubious publishers, even if they are available on reputable platforms like Google Play. Prioritise checking user reviews, paying attention to any recurring reports of suspicious activities.
Moreover, it is important to avoid apps with limited installations and reviews, opting instead for well-known applications that are widely recognised and recommended across reputable websites.
When navigating app stores on mobile devices, it can be difficult to gauge whether you are installing a legitimate application from a trusted source. It can be especially difficult when browsing for your mobile devices within your business.
Mobile application penetration testing is a security assessment method that is used to identify weaknesses and vulnerabilities in mobile applications. It involves security specialists following a rigorous methodology to determine the overall security posture of a given application.
This helps organisations and businesses ensure the security and integrity of their mobile applications safeguard sensitive user data and protect against potential security breaches.
Whether you're an individual using mobile apps for personal purposes or an organisation relying on them for business operations, ensuring their security is of utmost importance. By embracing mobile application penetration testing and leveraging the expertise of cybersecurity providers like Cybaverse, you can empower yourself with robust app security, safeguard sensitive data, and stay one step ahead of potential threats.
