The Anatsa banking Trojan campaign has been observed increasingly targeting European banks, according to new data by ThreatFabric researchers.
Since its reemergence in November 2023, the Anatsa campaign has manifested in five distinct waves, targeting various regions, including Slovakia, Slovenia and Czechia, alongside previously affected areas like the UK, Germany and Spain.
Notably, the campaign has evolved its tactics since last year, employing sophisticated methods such as AccessibilityService abuse and multi-staged infection processes.
According to an advisory published by ThreatFabric earlier today, Anatsa’s droppers on Google Play have showcased advanced evasion techniques, including dynamic downloading of configuration and malicious executable files from command-and-control (C2) servers.
Despite recently bolstered security measures on Google Play, malicious actors persist in exploiting vulnerabilities, as evidenced by the recent resurgence of the Anatsa campaign.
ThreatFabric revealed the worrying use of manufacturer-specific code, mainly targeting Samsung devices, indicating a tailored approach by threat actors. While presently focused on Samsung, future adaptations are possible to target other manufacturers, underscoring the necessity for vigilance across all device types.
The campaign’s execution flow unveils intricate layers of evasion tactics, including the circumvention of Android 13 restrictions, accentuating the sophistication of contemporary mobile malware.
Financial institutions are urged to educate customers about the risks associated with installing applications from official stores and enabling AccessibilityService unnecessarily.
“Effective detection and monitoring of malicious applications, along with observing unusual customer account behavior, are crucial for identifying and investigating potential fraud cases linked to device-takeover mobile malware like Anatsa,” reads the advisory.
Read more on this malware: Anatsa Banking Trojan Targets Banks in US, UK and DACH Region
With over 100,000 total installations across five droppers in the current campaign, the threat posed by Anatsa remains significant, highlighting the importance of continuous monitoring and proactive security measures.
Image credit: Framesira / Shutterstock.com