Banking Trojan Anatsa is behind multiple confirmed fraud cases from Android apps sold on the Google Play Store, according to cybersecurity company ThreatFabric.
With over 30,000 installations, ThreatFabric says that the campaign’s target list contains almost 600 financial applications from all over the world, and its most recent attacks have been centered around the US, the US, Germany, Austria, and Switzerland.
By stealing credentials used to authenticate mobile banking customers and then performing Device-Takeover Fraud, the threat actor has been carrying out fraudulent transactions since Anatsa’s discovery in 2020.
Watch out for this mobile banking malware
Based on the number of targeted applications per country, the US tops the charts. Italy, Germany, the UK, and France round off the top five, and the UAE, Switzerland, South Korea, Australia, and Sweden complete the top 10.
In less than a year, ThreatFabric has added a further 90 applications that have been targeted to spread the money-stealing malware, but don’t be fooled: you don’t need to be downloading a banking app to be affected.
Because people typically have their guard up when it comes to online banking, many of the malware droppers identified by the cybersecurity researchers have posed as PDF viewers. Having informed the Play Store of its findings, ThreatFabric found Google quick to react, but the threat actors just as quick to republish apps of a similar nature.
Sensitive information like credentials, credit card details, balance, and payment information is collected from the infected device. The threat actor then goes on to exfiltrate money through cryptocurrencies and local mules in a Device Takeover attack, which has so far proven challenging for banking anti-fraud systems to catch.
Referring to an evolving threat landscape that baking institutions are having to deal with, Internet users are being urged to remain vigilant when it comes to sharing details with third parties online, including following ads to download apps and content.