Security researchers say a mobile banking trojan first spotted in 2020 is now targeting financial institutions across the globe.
In a new report, the cloud-native cybersecurity platform Zscaler says hackers are aggressively expanding the scope and streamlining payload of the Android banking trojan Anatsa.
-->Anatsa came to life five years ago after a slew of attacks that targeted financial app users and over 650 financial institutions in the US, Europe and the UK. The malware is capable of hijacking credentials, monitoring keystrokes and facilitating fraudulent transactions.
The cybersecurity firm says that the malware is now masquerading as a document reader in the Google Play Store to deliver its malicious payload.
“Once installed, Anatsa silently downloads a malicious payload disguised as an update from its command-and-control (C2) server. This approach allows Anatsa to bypass Google Play Store detection mechanisms and successfully infect devices.”
Zscaler says the malware steals credentials by displaying fake banking login pages, tailored to the financial apps detected on a user’s device.
Through this process, the firm says Anatsa was able to increase its target to 831 financial institutions worldwide, including 150 new banking and cryptocurrency platforms. The malware has also been linked to 77 malicious apps with over 19 million installs.
“Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection… Our research demonstrates the techniques that Anatsa and other Android malware families leverage for distribution through the official Google Play Store.
Android users should always verify the permissions that applications request, and ensure that they align with the intended functionality of the application.”
