NEW YORK–An Android banking malware campaign that has leveraged a trojan named Anatsa to target users in North America using malicious apps published on Google’s official app marketplace has been downloaded 90,000 times, according to a new report.
The malware, disguised as a “PDF Update” to a document viewer app, has been “caught serving a deceptive overlay when users attempt to access their banking application, claiming the service has been temporarily suspended as part of scheduled maintenance,” Hacker News reported.
Third Time’s Not a Charm
“This marks at least the third instance of Anatsa focusing its operations on mobile banking customers in the United States and Canada,” Dutch mobile security company ThreatFabric said in a report shared with The Hacker News. “As with previous campaigns, Anatsa is being distributed via the official Google Play Store.”
Anatsa, also referred to as TeaBot and Toddler, has been known to be active since at least 2020, typically delivered to victims via dropper apps, Hacker News stated.
According to the report, earlier last year, Anatsa was found to have targeted Android device users in Slovakia, Slovenia, and Czechia by first uploading benign apps masquerading as PDF readers and phone cleaners to the Play Store and then introducing malicious code a week after release.
Stealing Credentials
“Like other Android banking trojans, Anatsa is capable of providing its operators with features designed to steal credentials through overlay and keylogging attacks, and conduct Device-Takeover Fraud (DTO) to initiate fraudulent transactions from victim’s devices,” according to the ThreatFabric report cited by Hacker News.
“ThreatFabric said Anatsa campaigns follow a predictable, but well-oiled, process that involves establishing a developer profile on the app store and then publishing a legitimate app that works as advertised,” the report added.
“Once the application gains a substantial user base – often in the thousands or tens of thousands of downloads – an update is deployed, embedding malicious code into the app,” the report explained. “This embedded code downloads and installs Anatsa on the device as a separate application.”
It added the malware then receives a dynamic list of targeted financial and banking institutions from an external server, enabling the attackers to perform credential theft for account takeover, keylogging, or fully automated transactions using DTO.
A ‘Crucial Factor’
ThreatFabric’s analysis found a “crucial factor” that allows Anatsa to evade detection as well as maintain a high success rate is its cyclical nature where the attacks are interspersed by periods of no activity.
A newly discovered app targeting North American audiences, the report added.
