Cyber Security Threat Summary:
Researchers at ThreatFabric recently disclosed details of a new mobile campaign that has been pushing Anatsa, an Android banking trojan, to online banking customers in the U.S., the U.K., Germany, Austria, and Switzerland since March 2023. The malware is being distributed via the Play Store by masquerading as PDF viewer and editor apps and office suites, having over 30,000 installations in the last couple of months. Although ThreatFabric reported the malicious applications to Google, which ended up removing them altogether from the play store, the attackers were observed uploading new malware samples soon after under the guise of other applications.

“In all five cases of the identified malware droppers, the apps were submitted onto Google Play in clean form and were later updated with malicious code, likely to evade Google's stringent code review process on the first submission. Once installed on the victim's device, the dropper apps request an external resource hosted on GitHub, from where they download the Anatsa payloads masqueraded as text recognizer add-ons for Adobe Illustrator” (Bleeping Computer, 2023).

Security Officer Comments:
For its part, Anatsa is capable of targeting 600 financial banking apps around the around, making it a suitable tool for cybercriminals looking to launder funds from victims. Once executed on targeted devices, the trojan will collect financial information such as bank account credentials, credit card details, payment information, etc, by overlaying phishing pages when the user attempts to log into their legitimate banking application. The trojan is also capable of siphoning information via keylogging where it will collect the keystrokes entered by the user. Once this information is collected, the malware will proceed to launch the legitimate banking app using the stolen credentials, further enabling the operators to make illicit transactions on the victim’s behalf. Since the transactions are made using the victim’s device, this makes it very difficult for banking anti-fraud systems to detect the activity.

Suggested Correction(s):
"As malware campaigns, such as Anatsa, expand their targeting to other countries, users must be extra vigilant about the apps they install on Android devices. Users should avoid installing apps from dubious publishers, even if those are on a well-vetted store like Google Play. Always check the reviews and see if a pattern of reports indicates malicious behavior. Furthermore, if possible, avoid apps with few installs and reviews and instead install apps that are well-known and commonly cited on websites. As many apps on Google Play have the same name as the malicious apps, it is recommended to check the ThreatFabric report's appendix for the list of package names and signatures that are pushing Anatsa and remove them immediately from your Android device if installed” (Bleeping Computer, 2023).

Link(s):
https://www.bleepingcomputer.com/