Global attack on mobile banking: Anatsa trojan infects Google Play

Android users in at least five countries have been targeted by the Anatsa banking trojan through malicious vaults uploaded to Google Play. This alarming news was reported by ThreatFabric, a company that specializes in detecting computer threats. The identified repositories, which have achieved over 30,000 installs through the app store, were programmed to send a request to a GitHub page to retrieve a URL that would download the final payload, also from GitHub.

A sophisticated infection chain in Google's sights

The first repository was discovered in March 2023, disguised as a PDF reader application, with the trojan posing as an add-on for it. Google removed the malicious application shortly after being alerted, but a second repository, also in the guise of a PDF reader and using the same infection chain, resurfaced a month later. Despite the removal of this malicious application, another repository (also a PDF reader) resurfaced within a month, with two more (both document readers) identified in May and June.

Sophisticated tools and global goals

According to ThreatFabric, the most recent vault is still available for download on Google Play. The security firm reports that each of the identified repositories received an update at some point, presumably to add malicious functionality. Furthermore, the analysis reveals that malicious actors may have several apps published on the store simultaneously under different developer accounts, but only one acts maliciously, while the other serves as a backup to be used after retirement. The current campaign targets banks in the US, UK, Germany, Austria and Switzerland, but the Anatsa trojan's target list includes more than 600 mobile banking applications worldwide.

Theft of sensitive information and fraudulent transactions: the insidious modus operandi of the trojan

Users were lured to malicious applications via advertisements that directed them to Google Play, possibly creating a false sense of security. Using overlays, the malware can steal sensitive information such as credentials, credit card information, and balance and payment information, which threat actors then use to initiate fraudulent transactions, via device takeover (DTO) fraud. It has been reported that since transactions are initiated from the same device that bank customers use on a regular basis, it is very difficult for bank anti-fraud systems to detect them. ThreatFabric, which has been monitoring Anatsa since 2020, also found that versions of the trojan used in this campaign can target over 90 new mobile banking applications from Finland, Germany, Singapore, Spain and South Korea. Despite deposits not being distributed in all of these countries, this certainly reveals plans to target those regions.