Researchers have spotted a mobile malware campaign called Anatsa, targeting banking apps, which have been observed targeting users in the U.S., the U.K. and Central Europe.
The banking Trojan is distributed through malicious apps in the Google Play Store and is estimated to have had over 30,000 installations since March. Anatsa has advanced device-takeover capabilities that can circumvent existing fraud control mechanisms.
Active since 2020, the current campaign is targeting banking apps, particularly in Germany. The target list includes almost 600 financial applications worldwide, with malware stealing customers’ mobile banking application credentials to initiate fraudulent transactions.
Once installed, Anatsa makes a request to a page hosted on GitHub, where the dropper obtains a URL to download the payload, also hosted on GitHub. The payloads masquerade as an add-on to the original application.
Researchers reported it to Google, and it was removed from the Play Store. However, a month later, those behind Anatsa returned with a new app posing as a PDF viewer, with malware masquerading as an add-on.
The researchers note that the choice of disguise for these malicious applications observed confirms the trend seen for droppers on Google Play. Droppers tend to impersonate file-management-related applications.
The new app was reported to Google again and removed, but in the ultimate game of Whac-A-Mole, every time the apps were removed, new apps appeared.
The researchers note that the speed at which the actors return with a new dropper after the previous one is removed is notable in itself, given that the coding can take anywhere from a few days and several weeks.