An ongoing malware campaign has been pushing the Android banking trojan, Anatsa, to online banking customers in the US, the UK, Germany, Austria, and Switzerland, according to research by cybersecurity firm ThreatFabric.
The threat actors are distributing their malware via the Play Store, and already had over 30,000 installations as of March. The focus of the ongoing campaign is banks from US, UK, and DACH, while the target list of the malware contains almost 600 financial applications from all over the world, ThreatFabric said in its research.
“ThreatFabric is aware of multiple confirmed fraud cases, with confirmed losses caused by Anatsa, due to the Trojan’s very advanced device takeover capabilities, which are able to bypass a wide array of existing fraud control mechanisms,” ThreatFabric said.
Multiple droppers on Google Play in four months
In March, the threat actors launched a new malvertising campaign that would entice victims to download Anatsa dropper apps from Google Play. Researchers identified the dropper application on the Google Play Store used to deliver Anatsa on infected devices, posing as a PDF-reader application.
“Once installed, such an application would make a request to a page hosted on GitHub, where the dropper would get the URL to download the payload (also hosted on GitHub). The payloads would masquerade as an add-on to the original application (similar to what we have seen in previous campaigns),” ThreatFabric said.
Shortly after the researchers reported this dropper to Google, it was removed from the store. However, within a month the actors published another dropper, posing as a PDF viewer.
“It was the continuation of the same campaign, as the payloads used in it were the same, still masquerading as an add-on,” ThreatFabric said. Google also removed this dropper. However, the attackers soon appeared back with a new dropper.
The same was repeated twice. Another dropper appeared within a month after the previous one was removed. Researchers discovered three more droppers in May and June.
“We want to highlight the speed with which the actors return with a new dropper after the previous one is removed: it takes anywhere from a couple of days to a couple of weeks to publish a new dropper application on the store,” ThreatFabric said, adding that at the time of writing, a new Anatsa dropper was discovered, and it is still online.
Every dropper was updated sometime after the publication date, indicating that the threat actor is adding malicious functionality.
Threat actors start with the distribution phase where the payload is delivered through malicious apps on Google Play Store. Victims are routed there through advertisements, which look less suspicious to them as they lead to the official store.
Once the device is infected, Anatsa can collect sensitive information such as credentials, credit card details, balance, and payment information via overlay attacks and keylogging.
“Anatsa provides them with the capability to perform Device-Takeover Fraud (DTO), which then leads to performing actions (transactions) on the victim’s behalf,” ThreatFabric said.
New targets and focus on financial institutions
Anatsa’s activity was first discovered in 2020. There have been multiple changes in the actor’s areas of interest over the years, with continuous updates to its target list.
“This campaign is no exception: we see a strong shift towards targeting banking institutions in the DACH region, specifically in Germany,” ThreatFabric said. The company’s researchers observed three new German banking applications added to Anatsa’s overlay target list during the current campaign.
The list of targeted applications included more than 90 new targeted applications compared to last year in August. The updated list included targets from Germany, Spain, Finland, South Korea, and Singapore.
“While the droppers are not distributed in all of these countries, it definitely reveals plans to target those regions,” ThreatFabric said.