Nefarious Anatsa Android Trojan Caught Stealing Banking Information and Performing On-Device Fraud 1q6q6b

Researchers have discovered the use of an Android banking trojan to collect the financial informational of s in several countries. The Anatsa trojan, which was previously discovered by the same security research firm two years ago, has been used via a few apps on the Play Store masquerading as productivity and office apps, with over 30,000 s. The malware creators publish clean apps to Google's app store to evade detection during the initial review, then update them with malicious code. s who have ed these infected applications will have to manually remove them from their smartphones.

Security firm ThreatFabric has published details of the Anatsa banking trojan that infected a few applications on the Play Store that were marketed as "office" apps (for documents and spreadsheets) and PDF viewer and editor apps. After a installs one of the infected applications, it connects to a GitHub server to the malware, which poses as an "add-on" for the apps — such as an optical character recognition (OCR) tool for documents and PDFs, according to the firm.

ThreatFabric's list of some of the banking apps affected by the trojan
Photo Credit: Screenshot/ ThreatFabric

 

The banking trojan will then target nearly 600 banking apps from several countries including the Capital One and JP Morgan Mobile apps in the US, as well as banking apps from Australia, , , Italy, the UK, South Korea, Sweden, and Switzerland. It displays a phishing page on the 's screen when they attempt to open their banking app. The malware can then steal credit card information, credentials, PIN numbers, via logging keystrokes.

What makes the Anatsa banking trojan truly nefarious is that it can use the information gleaned from the victim to load the legitimate banking apps and transfer funds from their . The security firm explains that this makes it difficult for anti-fraud systems used by banks to identify the automated, illegitimate transaction. These funds are then transferred to the Anatsa operators in the form of cryptocurrency, according to ThreatFabric.

 

s who have installed the "droppers" for the Anatsa trojan — identified by ThreatFabric and listed in the table above — will have to manually uninstall these apps from their smartphones. The apps have already been removed from the Play Store, according to the security firm, which previously discovered the trojan in 2021.

ThreatFabric notes that even after Google removed the apps infected with the Anatsa trojan, the creators would promptly a new version of the app, disguised once again, to the Play Store. In order to stay safe from these nefarious trojans, s should opt for well-known apps and avoid installing those that have a few s, while checking the reviews for reports of theft of information or fraud.

---