Cyber fraud analysts at ThreatFabric spotted a new wave of Google Play Store dropper attacks delivering the Anatsa banking trojan. The attacks are focused on financial institutions from the US, UK, and DACH region.
“The focus of the ongoing campaign is banks from US, UK, and DACH, while the target list of the malware contains almost 600 financial applications from all over the world. The actors behind Anatsa aim to steal credentials used to authorise customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions,” the researchers said.
Since the start of the campaign in March 2023, ThreatFabric has identified five Anatsa-infected dropper applications in Google Play, with each appearing within a month after the previous one was removed from the official store.
Once the device is infected, Anatsa is able to collect sensitive data like credentials, credit card details, balance and payment information via overlay attacks and keylogging. Anatsa provides its operators with the capability to perform Device-Takeover Fraud (DTO), which then leads to performing actions (transactions) on the victim’s behalf.
“Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that is very challenging for banking anti-fraud systems to detect it,” the researchers noted.
