ECONOMY & WORK
MONEY 101
NEWS
PERSONAL FINANCE
NET WORTH
About Us Contact Us Privacy Policy Terms of Use DMCA Opt-out of personalized ads
© Copyright 2023 Market Realist. Market Realist is a registered trademark. All Rights Reserved. People may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.
MARKETREALIST.COM / NEWS

Anatsa Banking Trojan Spreading Rampantly Through Google Play Store: All You Need to Know

The trojan uses the stolen information to perform fraud by launching the banking app and performing transactions on the victim's behalf.
PUBLISHED FEB 21, 2024
Cover Image Source: Threat actors are using malware droppers disguised as legitimate mobile apps (representative image) | Pexels | Photo by Negative Space
Cover Image Source: Threat actors are using malware droppers disguised as legitimate mobile apps (representative image) | Pexels | Photo by Negative Space

The dangerous banking trojan, Anatsa, is continuing to spread across countries through Google Play Store. Threat actors are using malware droppers disguised as legitimate mobile apps on the store to distribute the trojan to Android users. The trojan targets over 600 mobile banking applications worldwide and has amassed tens of thousands of installs via the application store in the past few months, per ThreatFabric. Here’s all you need to know about Anatsa banking trojan.



 

The malicious apps are disguised as legitimate-looking apps such as PDF viewers, editor apps, and office suites in the office/productivity category. In the latest Anatsa campaign, the malware operators used fake cleaner apps as well as those which promise to free up space on a device by deleting unnecessary files.

ThreatFabric's report highlighted an example of such an app named Phone Cleaner – File Explorer, which marked over 10,000 downloads on the Play Store. Another app called PDF Reader: File Manager also has more than 100,000 downloads, ThreatFabric told BleepingComputer.



 

Once these malicious apps are installed on the victim's device, the dropper apps request an external resource hosted on GitHub to download the Anatsa payloads disguised as text recognizer add-ons for apps such as Adobe Illustrator. Further, the banking trojan collects financial information such as bank account credentials, credit card details and payment information by employing phishing pages when the user attempts to launch their legitimate bank app.

As per reports, Anatsa targets nearly 600 financial apps of banking institutions from around the world. The trojan uses the stolen information to perform fraud by launching the banking app and performing transactions on the victim's behalf. The money-stealing process is automated and goes completely undetected. The stolen amounts are reportedly converted to cryptocurrency and passed through an extensive network of money mules to avoid detection.

The malware developers use a multi-staged infection process to avoid detection from the Play Store. The process includes downloading a DEX file from a remote location which retrieves code for executing malicious actions. When the droppers are uploaded to Google Play, they contain nothing that can flag them as suspicious. The fraudulent actions are executed only after the droppers are installed on a device.

A woman using an Macbook Pro as she uses Google play | Getty Images | Photo by studioEAST
A woman using an Macbook Pro as she uses Google play | Getty Images | Photo by studioEAST

Further, according to ThreatFabric, whenever the malicious app was removed from the store, the attackers returned quickly by uploading a new dropper under a new disguise. The report noted that the dropper applications often regularly reach the top 3 new free applications in Google Play.

The malware-spreading campaign has been going on for over four years and a recent campaign was reportedly launched last year. So far, victims across the European region have downloaded malware droppers over 100,000 times since November. In a previous campaign during the first half of 2023, the malware marked over 130,000 installations of its weaponized droppers for Anatsa from Google's Play Store. In total, Threatfabric estimates the download count to be about 150,000 for Anatsa droppers on Google Play. However, the researchers called it a conservative estimate and stated that the real figure would be closer to 200,000, in a BleepingComputer report.

In the first wave of the campaign, which surfaced in 2020, people across the US, Italy, the United Kingdom, France, Germany, and several other European countries were impacted. Further, as part of the recent campaign that started in November 2023, the attackers expanded their targets to countries like Slovakia, Slovenia, and Czechia.

MORE ON MARKET REALIST
Despite getting a high auction estimate, the owner of the Meiji Period lamp chose to keep it.
9 hours ago
The player, Gabriel Berkowitz pulled off a perfect night winning over $45,000 and a car.
10 hours ago
Harvey showed no mercy after he found out that Sweet Lou Dunbar didn't know how apps work.
14 hours ago
The founder of Plop Star made an unforgettable entry and a sad exit from the show.
1 day ago
The host is otherwise quick to reprimand families for backing absurd answers.
1 day ago
While the Marvel comic book fetched a $50,000 appraisal, Harrison felt it was too rich for him.
1 day ago
Jimmy Alexander became the first player to lose a brand-new car on season 43 of the show.
2 days ago
The contestant, Brianne Peterson got extremely unlucky with her letter picks for the final puzzle.
2 days ago
The guest was told that the Jasper Johns Flag Print wouldn't be valuable but it was worth thousands.
2 days ago
It didn’t help that Alvin Rosales was playfully scolded by the host just before losing the Bonus Round.
3 days ago
The photos featured some looks of the show's legendary former host, Alex Trebek, as well.
3 days ago
The player, Kate Stuntz, pulled off a miraculous win to take home over $68,000 and a trip to Iceland.
3 days ago
The owner couldn’t believe the value of Jane Peterson’s "The Floats" gouache painting.
4 days ago
The player, Callie DeWeese, failed to choose the right letters in the Bonus Round, leading to her loss.
4 days ago
The personal digs at the host have been relentless on the show by producers and players.
4 days ago
The guest had no idea how valuable her grandfathers Dutch tinware coffee pot was.
5 days ago
It wasn't one of Steve Harvey's jokes that cracked Bridget up so bad.
5 days ago
Fans now won't be able to stream more than five most recent episodes of the new season.
5 days ago
Despite the questionable morality of CATE App, Neal Desai managed to partner with two Sharks.
6 days ago
A supplier of Costco's Dubai Styled chocolate issued a notice regarding misinformation of allergens.
6 days ago