Anatsa Banking Trojan Targets Banks in US, UK and DACH Region

Written by

Threat actors using the notorious banking Trojan Anatsa have launched a new campaign targeting banks in the US, UK and the DACH region (Germany, Austria and Switzerland).

According to a new blog post by ThreatFabric, this ongoing campaign started around March 2023 and has witnessed over 30,000 installations of the malware so far.

The security experts highlighted Anatsa’s advanced capabilities, particularly its Device-Takeover Fraud (DTO) feature, which allows it to bypass various fraud control mechanisms employed by financial institutions. 

At a more basic level, the Trojan’s primary objective is to steal credentials used in mobile banking applications and initiate fraudulent transactions.

The distribution of Anatsa occurs through dropper applications hosted on the Google Play Store. These droppers masquerade as legitimate applications, such as PDF readers, to deceive users. ThreatFabric’s analysts have observed a rapid release of droppers, with new ones appearing shortly after the previous ones are removed from the store.

Read more on droppers: Lancefly APT Custom Backdoor Targets Government and Aviation Sectors

Once infected, Anatsa collects sensitive information through overlay attacks and keylogging, compromising credentials, credit card details and other payment-related data.

While Anatsa has previously targeted different regions, this campaign demonstrates a specific focus on the DACH region, particularly Germany. 

Additionally, ThreatFabric said the threat actors behind Anatsa had updated their target list to include nearly 600 financial applications worldwide.

The security firm added that the latest Anatsa campaign is a stark reminder of the evolving threat landscape faced by banks and financial institutions in the digital era.

“The recent Google Play Store distribution campaigns targeting US, DACH, and UK regions demonstrate the immense potential for mobile fraud and the need for proactive measures to counter such threats,” reads the blog post.

Commenting on the news, a Google spokesperson said that all of these identified malicious apps have been removed from Google Play and the developers have been banned.

"Google Play Protect also protects users by automatically removing apps known to contain this malware on Android devices with Google Play Services."

The publication of the ThreatFabric advisory comes months after Cleafy security researchers discovered a new Android banking Trojan in several malicious campaigns worldwide.

UPDATE: This article was updated on June 29th to include a comment by Google.

What’s hot on Infosecurity Magazine?