Discover the evolving threat landscape with Anatsa Android Banking Trojan. Recent Google Play Store campaigns targeting the US, DACH, & UK regions

Continue reading
March 2023 witnessed the identification of an ongoing attack campaign involving the Anatsa Android banking Trojan. This campaign has been predominantly operational in the United States, the United Kingdom, and the DACH region, primarily targeting financial institutions. The consequences of this malicious activity have been severe, leading to confirmed instances of fraud and substantial financial losses. Anatsa poses a significant threat to mobile banking applications, employing sophisticated tactics such as Device-Takeover Fraud (DTO) and overlay attacks. This Threatfeed provides an in-depth analysis of the technical intricacies associated with the Anatsa Trojan, and it is evolving targets, distribution methodologies, and wider implications on the threat landscape.
The primary focus of the Anatsa campaign lies in the banking sector, with a particular emphasis on financial institutions in the United States, the United Kingdom, and the DACH region. The malware's target list encompasses nearly 600 financial applications worldwide. The objective of the threat actors behind Anatsa is to compromise mobile banking applications, steal customer credentials, and execute fraudulent transactions through Device-Takeover Fraud. By bypassing existing fraud control mechanisms, Anatsa can perform illicit actions on behalf of unsuspecting users, making it difficult for banking anti-fraud systems to detect.
Since its discovery in 2020, Anatsa has undergone several modifications in its areas of interest and target selection. The latest campaign witnessed a notable shift in focus toward banking institutions in Germany, specifically in the DACH region. This change aligns with the release of droppers used for malware distribution in those targeted regions.
While the campaign emphasizes Germany, Anatsa remains active in the United States and the United Kingdom, as evidenced by the inclusion of new targeted applications in these regions. In comparison to August 2022, over 90 new applications have been added to the list of targets. Notably, Anatsa's threat actors have expanded their scope to include applications from countries such as Spain, Finland, South Korea, and Singapore. Although the droppers are not distributed in all these countries, including targets suggests the actors' intent explore these regions. This reconnaissance likely allows them to gather insights into the internal structure of banking applications and devise strategies to target specific minority groups residing in the countries associated with these droppers.
The Anatsa campaign's latest iteration commenced in March 2023 after a six-month hiatus. ThreatFabric detected, the presence of a dropper application on the Google Play Store, masquerading as a PDF reader. Once installed, this application would initiate a request to a GitHub-hosted page to obtain the URL for downloading the payload, which was also hosted on GitHub. The payloads disguised themselves as add-ons to the original application, similar to previous campaigns.
Upon reporting the first dropper to Google, it was swiftly removed from the store. However, within a month, the threat actors released another dropper posing as a PDF viewer. The payloads used in this subsequent dropper remained the same, continuing the campaign's progression. This trend of disguising malicious applications as file-management-related tools align with the actors' strategy to leverage pre-existing permissions, such as the "REQUEST_INSTALL_PACKAGES" permission, to install the payload without raising suspicions.
ThreatFabric's team reported the second dropper to Google, leading to its removal from the store. Nevertheless, the cycle repeated, with three additional droppers discovered in May and June 2023. The actors behind Anatsa exhibited remarkable speed in releasing new droppers shortly after the previous ones were taken down.
This approach enables them to maintain long-lasting campaigns while minimizing the time required to publish new dropper applications.
Notably, each dropper underwent updates subsequent to its initial release, often incorporating additional malicious functionalities. This practice, marked with an "Update" tag on the timeline, ensures the threat actors can continue their campaign uninterrupted. By maintaining multiple apps published in the store under different developer accounts, with only one acting as the malicious entity, the actors have a backup ready for deployment in case of takedowns.
Understanding Anatsa's capabilities and activities allows us to construct a fraud "kill chain" that outlines the threat actors' modus operandi. The chain commences with the distribution phase, wherein the payload is delivered through malicious apps available on the Google Play Store. Victims are lured to these apps through deceptive advertisements, often appearing less suspicious as they lead to the official store.

*KILL CHAIN*
Once a device becomes infected, Anatsa employs overlay attacks and keylogging techniques to collect sensitive information, including credentials, credit card details, balance information, and payment data. This information serves as the foundation for subsequent fraudulent activities. Anatsa's advanced capabilities enable the threat actors to perform Device-Takeover Fraud (DTO), enabling them to initiate transactions on behalf of targeted banking customers. The fact that transactions are carried out from the same device typically used by legitimate users adds a layer of complexity to fraud detection systems employed by financial institutions.
Anatsa campaign indicates the ever-evolving nature of the threat landscape confronting banks and financial institutions in our modern digital world. Through their recent distribution campaigns on the Google Play Store, specifically targeting the United States, DACH, and the United Kingdom, Anatsa has brought to light the vast potential for mobile fraud, necessitating the urgent implementation of proactive measures to combat such pervasive threats. Thus effectively combating mobile banking Trojans like Anatsa demands unwavering client-side visibility and adaptability throughout the entire customer journey. By harnessing the power of fraud intelligence and integrating sophisticated SDKs directly within banking applications, institutions can fortify their defenses and proactively safeguard against the ever-present menace of cybercrime.
As we navigate the intricate and rapidly evolving landscape of cybersecurity, banks, and financial institutions must remain vigilant and proactive in their efforts. Only through a comprehensive and multi-faceted approach can we effectively thwart the relentless advances of adversaries and ensure the integrity and security of our digital financial ecosystem.
The following table provides details of the Anatsa droppers discovered during the campaign:
| App name | Package name | SHA-256 |
|---|---|---|
| PDF Reader - Edit & View PDF | lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools | ecce34c0ba83120ccf1f8e1640cd867fbfeb490dbc8a41d1cf8c577d508819c3 |
| PDF Reader & Editor | com.proderstarler.pdfsignature | 128820e1c5d62523f675042da9d1e11af3191217afe308bcc17e51ad8c2ece03 |
| PDF Reader & Editor | moh.filemanagerrespdf | 7231546ee377738cbe9075791eb6e76b7bc163c1b91831e05e81b4756fff4028 |
| All Document Reader & Editor | com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs | 3740e6b4d259efe6a72f503429fb67db96363935a29f7428ccab5b78fa9bee73 |
| All Document Reader and Viewer | com.muchlensoka.pdfcreator | db7df65f2699817fa3ebfb3ebef106a3801a96b
9da1ba6d88e727a253ae34da6 |
These dropper applications masquerade as legitimate PDF readers, editors, or document viewers. However, they contain the Anatsa Trojan payload, which can perform malicious activities on infected devices.

Chinese-speaking TA4922 expands into Europe, deploying new Atlas RAT malware in phishing campaigns targeting organizations across sectors.