Anasta Banking Malware
admin
admin 9 months ago
admin #news

Anatsa Banking Malware Spreads On Google Play Store

In March 2023, a new Anatsa Android banker campaign was launched, this time targeting financial institution clients in the US, UK, Germany, Austria, and Switzerland. The malware entered the Google Play Store and was installed more than 30,000 times from there alone.

As ThreatFabric researchers recall , the last time a banking Trojan penetrated the Google Play store was in 2021. Back then, it masqueraded as PDF scanners, QR code scanners, Adobe Illustrator apps, and fitness trackers. As a result, it was downloaded more than 300,000 times.


In March 2023, after a six-month hiatus, the attackers launched a new malware campaign that encourages potential victims to download Anatsa droppers from Google Play. Basically, malicious applications are still disguised as PDF viewing and editing applications and office utilities:

  • All Document Reader & Editor (com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs)
  • All Document Reader and Viewer (com.muchlensoka.pdfcreator)
  • PDF Reader - Edit & View PDF (lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools)
  • PDF Reader & Editor (com.proderstarler.pdfsignature)
  • PDF Reader & Editor (moh.filemanagerrespdf)


Although ThreatFabric experts repeatedly reported malicious applications to Google and removed them from the store, the attackers quickly returned, downloading a new dropper disguised as a new application.

In all the cases studied, the applications entered Google Play in a “clean” form, that is, they did not contain malicious code, and only then received malicious updates. This is probably what allows attackers to evade detection and pass Google's checks over and over again.


Once installed on the victim's device, dropper applications are linked to an external resource located on GitHub, from where they download Anatsa payloads disguised as OCR addons in Adobe Illustrator.

On the infected device, Anatsa collects financial information, including bank account credentials, bank card details, payment information, and so on. This is achieved by overlaying phishing overlays on top of real applications that appear when a user tries to launch a legitimate bank application, as well as using keylogging.


The current version of Anatsa attacks almost 600 financial and banking applications worldwide.

After that, the banker uses the stolen information to commit fraud directly on the victim's device: Anatsa launches a real banking application and performs transactions on behalf of the victim, automating the process of stealing funds.

“Because transactions are initiated from the same device that victims regularly use, it is very difficult for banking anti-fraud systems to detect this activity,” explains ThreatFabric.

The stolen funds are converted into cryptocurrencies and transferred to an extensive network of money mules around the world, who eventually keep part of the stolen funds as their interest, and send the rest to the attackers.

0
436

Login to Post comments

Comments 0
Chinese Hackers Attacking European Foreign Ministries And Embassies With HTML Smuggling

Chinese Hackers Attacking European Foreign Ministries And Embassies Wi...

1673775682.png
admin
 9 months ago
LockBit Black Builder 3.0 Analysis

LockBit Black Builder 3.0 Analysis

1673775682.png
admin
 11 months ago
ThirdEye: A New Malware Targeting The Windows systems

ThirdEye: A New Malware Targeting The Windows systems

1673775682.png
admin
 9 months ago
UnderGround Fluhorse Android Trojan steals SMS to intercept 2FA codes

UnderGround Fluhorse Android Trojan steals SMS to intercept 2FA codes

1673775682.png
admin
 9 months ago
Japanese Cryptocurrency Exchange Hit by JokerSpy Attack

Japanese Cryptocurrency Exchange Hit by JokerSpy Attack

1673775682.png
admin
 9 months ago