A new Android malware campaign has been observed pushing banking trojan Anatsa to target banking customers in the US, UK, Germany, Austria and Switzerland since early March 2023.
“The perpetrators behind Anatsa aim to steal credentials used to authorize customers in the mobile banking application and perform Device Retrieval Fraud (DTO) to initiate fraudulent transactions,” ThreatFabric said in an analysis published Monday.
The Dutch cybersecurity firm said its infected Google Play Store dropper app Anatsa had obtained more than 30,000 installations to date, indicating that official app storefronts have become an effective distribution vector for the malware.
Anatsa, also known by the names TeaBot and Toddler, first appeared in early 2021, and have been observed masquerading as seemingly harmless utility apps such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to siphon user credentials. It has since become one of the most prolific banking malware, targeting more than 400 financial institutions worldwide.
Trojans have capabilities such as backdoors to steal data and also perform overlay attacks to steal credentials and log activity by abusing their permissions to Android accessibility service APIs. It can then bypass existing fraud control mechanisms to make unauthorized transfers of funds.
“Because the transaction was initiated from the same device that the target bank’s customer normally uses, it has been reported that it is very difficult for the banking anti-fraud system to detect it,” ThreatFabric noted.
In a recent campaign ThreatFabric observed, dropper apps, once installed, made requests to GitHub pages that pointed to other GitHub URLs hosting malicious payloads, aiming to trick victims by masquerading as app add-ons. Allegedly users are directed to this application through cryptic advertisements.
A notable aspect of the dropper is its use of the restricted “REQUEST_INSTALL_PACKAGES” permission, which has been repeatedly exploited by malicious apps distributed through the Google Play Store to install additional malware on infected devices. The names of the apps are as follows –
- All Docs Reader & Editor (com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs)
- All Documents Reader and Viewer (com.muchlensoka.pdfcreator)
- PDF Reader – Edit & View PDF (lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools)
- PDF Reader & Editor (com.proderstarler.pdfsignature)
- PDF Reader & Editor (moh.filemanagerrespdf)
All five of the dropper apps in question are said to have been updated after their initial publication, possibly in a stealthy attempt to sneak in malicious functionality after passing through the app review process during the first shipment.
The top list of countries that Anatsa is interested in based on the number of financial applications targeted includes the US, Italy, Germany, UK, France, UAE, Switzerland, South Korea, Australia and Sweden. Also on the list are Finland, Singapore and Spain.
“The latest campaign by Anatsa reveals the evolving threat landscape facing banks and financial institutions in today’s digital world,” said ThreatFabric. “The recent Google Play Store distribution campaign (…) demonstrates the enormous potential for mobile fraud and the need for proactive action to counter such threats.”