Nefarious Anatsa Android Trojan Caught Stealing Banking Information and Performing On-Device Fraud

Researchers have discovered the use of an Android banking trojan to collect the financial informational of users in several countries. The Anatsa trojan, which was previously discovered by the same security research firm two years ago, has been used via a few apps on the Play Store masquerading as productivity and office apps, with over 30,000 downloads. The malware creators publish clean apps to Google's app store to evade detection during the initial review, then update them with malicious code. Users who have downloaded these infected applications will have to manually remove them from their smartphones.

Security firm ThreatFabric has published details of the Anatsa banking trojan that infected a few applications on the Play Store that were marketed as "office" apps (for documents and spreadsheets) and PDF viewer and editor apps. After a user installs one of the infected applications, it connects to a GitHub server to download the malware, which poses as an "add-on" for the apps — such as an optical character recognition (OCR) tool for documents and PDFs, according to the firm.

ThreatFabric's list of some of the banking apps affected by the trojan
Photo Credit: Screenshot/ ThreatFabric

The banking trojan will then target nearly 600 banking apps from several countries including the Capital One and JP Morgan Mobile apps in the US, as well as banking apps from Australia, France, Germany, Italy, the UK, South Korea, Sweden, and Switzerland. It displays a phishing page on the user's screen when they attempt to open their banking app. The malware can then steal credit card information, login credentials, PIN numbers, via logging keystrokes.

What makes the Anatsa banking trojan truly nefarious is that it can use the information gleaned from the victim to load the legitimate banking apps and transfer funds from their account. The security firm explains that this makes it difficult for anti-fraud systems used by banks to identify the automated, illegitimate transaction. These funds are then transferred to the Anatsa operators in the form of cryptocurrency, according to ThreatFabric.

Users who have installed the "droppers" for the Anatsa trojan — identified by ThreatFabric and listed in the table above — will have to manually uninstall these apps from their smartphones. The apps have already been removed from the Play Store, according to the security firm, which previously discovered the trojan in 2021.

ThreatFabric notes that even after Google removed the apps infected with the Anatsa trojan, the creators would promptly upload a new version of the app, disguised once again, to the Play Store. In order to stay safe from these nefarious trojans, users should opt for well-known apps and avoid installing those that have a few downloads, while checking the user reviews for reports of theft of information or fraud.