Anasta Banking Malware
admin 9 months ago
admin #news

Anatsa Banking Malware Spreads On Google Play Store

In March 2023, a new Anatsa Android banker campaign was launched, this time targeting financial institution clients in the US, UK, Germany, Austria, and Switzerland. The malware entered the Google Play Store and was installed more than 30,000 times from there alone.

As ThreatFabric researchers recall , the last time a banking Trojan penetrated the Google Play store was in 2021. Back then, it masqueraded as PDF scanners, QR code scanners, Adobe Illustrator apps, and fitness trackers. As a result, it was downloaded more than 300,000 times.


In March 2023, after a six-month hiatus, the attackers launched a new malware campaign that encourages potential victims to download Anatsa droppers from Google Play. Basically, malicious applications are still disguised as PDF viewing and editing applications and office utilities:

  • All Document Reader & Editor (com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs)
  • All Document Reader and Viewer (com.muchlensoka.pdfcreator)
  • PDF Reader - Edit & View PDF (lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools)
  • PDF Reader & Editor (com.proderstarler.pdfsignature)
  • PDF Reader & Editor (moh.filemanagerrespdf)


Although ThreatFabric experts repeatedly reported malicious applications to Google and removed them from the store, the attackers quickly returned, downloading a new dropper disguised as a new application.

In all the cases studied, the applications entered Google Play in a “clean” form, that is, they did not contain malicious code, and only then received malicious updates. This is probably what allows attackers to evade detection and pass Google's checks over and over again.


Once installed on the victim's device, dropper applications are linked to an external resource located on GitHub, from where they download Anatsa payloads disguised as OCR addons in Adobe Illustrator.

On the infected device, Anatsa collects financial information, including bank account credentials, bank card details, payment information, and so on. This is achieved by overlaying phishing overlays on top of real applications that appear when a user tries to launch a legitimate bank application, as well as using keylogging.


The current version of Anatsa attacks almost 600 financial and banking applications worldwide.

After that, the banker uses the stolen information to commit fraud directly on the victim's device: Anatsa launches a real banking application and performs transactions on behalf of the victim, automating the process of stealing funds.

“Because transactions are initiated from the same device that victims regularly use, it is very difficult for banking anti-fraud systems to detect this activity,” explains ThreatFabric.

The stolen funds are converted into cryptocurrencies and transferred to an extensive network of money mules around the world, who eventually keep part of the stolen funds as their interest, and send the rest to the attackers.

0
428
AhRat Android Trojan Infects 50,000 Smartphones via Google Play Store

AhRat Android Trojan Infects 50,000 Smartphones via Google Play Store

1673775682.png
admin
10 months ago
DogeRAT: A New Mobile Remote Access Trojan Targeting Android Users in India

DogeRAT: A New Mobile Remote Access Trojan Targeting Android Users in...

1673775682.png
admin
10 months ago
Chinese Hackers Exploiting Google Play Store For Spreading Their Malware As File Manager

Chinese Hackers Exploiting Google Play Store For Spreading Their Malwa...

1673775682.png
admin
9 months ago
CraxsRat - Android Rat Download

CraxsRat - Android Rat Download

1673775682.png
admin
1 year ago
Stealthy New Trojan SeroXen RAT Bypasses Antiviruses and Gives Hackers Full Access to Targeted Computers

Stealthy New Trojan SeroXen RAT Bypasses Antiviruses and Gives Hackers...

1673775682.png
admin
10 months ago