Cyber fraud analysts at cyber security firm, ThreatFabric found an Android banking Trojan known as Anatsa on June 26. This malware steals the financial data of Android users when they download banking apps, which have over 30,000 downloads. This malware has affected several countries. ThreatFabric discovered the Anatsa Trojan two years ago, but it has emerged again lately.
Analysts discovered this android Trojan while monitoring multiple ongoing dropper campaigns happening at Google Play Store. As per Trend Micro, “Droppers are programs designed to extract other files from their own code. Typically, these programs extract several files into the computer to install a malicious program package”.
As per the report, Anatsa Trojan is very dangerous because it can “bypass a wide array of existing fraud control mechanisms” as it has “very advanced Device-Takeover capabilities”. This ongoing dropper campaign has affected around 600 banking applications in countries. The malware steals the information of the users of these inflected banking apps, such as credit card information, login credentials, PIN numbers etc. Then it initiates fraudulent transactions by performing Device-Takeover Fraud (DTO). The affected users are mainly from the UK, US, Germany, Austria, and Switzerland.
This Trojan is truly nefarious as it dupes users into downloading legitimate-looking banking apps. It also bypasses anti-fraud systems used by banks for the identification of automated, illegitimate transactions.
Cyber fraud analysts of ThreatFabric came to know about the emergence of Anatsa in March of this year. The analysts identified a dropper app on the Google Play Store, which was used to infect devices by pretending as a PDF reader application.
After installing such inflected apps, it would then “make a request to a page hosted on GitHub, where the dropper would get the URL to download the payload (also hosted on GitHub)”. These payloads disguise as an add-on to the original application.
When this app was reported, Google immediately pulled it down from the store, but after a month, it again got listed as a PDF viewer. The analysts discovered three more droppers in May and June.
As per the report by ThreatFabric, this latest Anatsa campaign reveals the threats faced by banks and financial institutions are evolving continuously. The only way to safeguard from this malware is to physically uninstall the app from the Android device.
It’s important to note that Android device has been facing continuous threats from cyber criminals through malware. Malware attacks planned by hackers are not new to the digital age, as we have witnessed them from time to time. Recently, a new Trojan malware called SpinOk was discovered, and reportedly it affected as many as 101 applications on Google Play Store.
Researchers have claimed that these malware attacks are in the form of advertisements and looks like a third-party attack. The motive of the hackers is to target the personal data of individuals. The malware or software module is equipped with spyware functionality. It can collect information on files stored on devices and is capable of transferring them to malicious actors. It can also substitute and upload clipboard contents to a remote server.
This month even Indian Computer Emergency Response Team or CERT-In released an advisory report stating that an Android malware named “Daam” infects mobile phones is spreading. This virus can access private information like call logs, contacts, history, and cameras. The advisory stated that the virus is capable of “bypassing anti-virus programs and deploying ransomware on the targeted devices”.
According to the CERT, the Android botnet is spread through third-party websites or apps downloaded from dubious or unknown sources. The advisory states, “Once it is placed in the device, the malware tries to bypass the security check of the device, and after a successful attempt, it attempts to steal sensitive data and permissions such as reading history and bookmarks, killing background processing, and reading call logs etc”.
