In a recent discovery, cybersecurity researchers have identified a new Android banking malware campaign targeting users in North America. The campaign utilizes a trojan known as Anatsa, which is distributed through malicious apps on Google’s official app marketplace. The malware appears as a fake “PDF Update” for a document viewer app and displays a deceptive overlay when users try to access their banking application, claiming it is temporarily suspended for maintenance.
Anatsa, also referred to as TeaBot and Toddler, has been active since at least 2020 and is known for targeting mobile banking customers in the United States and Canada. The malware is distributed through legitimate apps on the Google Play Store and is capable of stealing credentials through overlay and keylogging attacks, as well as conducting Device-Takeover Fraud (DTO) to initiate fraudulent transactions.
The Anatsa campaigns follow a well-established process where a legitimate app is published on the app store to gain a user base before deploying an update with malicious code embedded. This code then downloads and installs Anatsa on the device, allowing the attackers to steal credentials from targeted financial institutions and conduct fraudulent transactions.
One unique aspect of Anatsa is its cyclical nature, where attacks are interspersed with periods of no activity to evade detection. A recent app targeting North American users masqueraded as a Document Viewer and was published by a developer named “Hybrid Cars Simulator, Drift & Racing.” The app quickly gained popularity, reaching the top spot in the “Top Free – Tools” category before being removed from the Play Store.
ThreatFabric, the Dutch mobile security company that reported on the Anatsa campaign, advises organizations in the financial sector to review the provided intelligence and assess any potential risks or impacts on their customers and systems. The malware’s increasing focus on exploiting financial entities in the United States highlights the need for heightened security measures to protect against such threats.
Source link