Photo by Pixabay
The Anatsa banking trojan has expanded its reach to Slovakia, Slovenia and the Czech Republic after being concentrated in the UK, Germany and Spain, showcasing a series of new tactics and a notable evolution in its modus operandi.
The threat actors behind Anatsa have adopted a targeted approach, focusing on 3-5 regions simultaneously allowing them to promote dropper applications on Google Play specific to the targeted areas, increasing the likelihood of successful infiltrations.
As of now, over 100,000 installations have been reported in the current campaign. Anatsa’s concentrated attacks on specific regions, coupled with its device takeover capabilities, create significant challenges for financial institutions in detecting and mitigating fraud.
Cybersecurity researchers from Threat Fabric uncovered the recent expansion of the banking trojan and also exposed the new methods of infiltration.
“The distribution strategy and remote access capabilities of Anatsa classify it as a critical threat in the targeted regions,” said the researchers.
As per the research, Anatsa’s latest campaign showcases a heightened level of sophistication, employing tactics such as AccessibilityService abuse, a multi-staged infection process, and the ability to bypass Android 13’s restricted settings.
Notably, the threat actors strategically use droppers to exploit AccessibilityService, historically employed by mobile malware to automate payload installations. Despite stricter restrictions imposed by Google Play on the use of AccessibilityService, Anatsa’s droppers managed to exploit this feature by employing a clever disguise.
A dropper masquerading as a cleaner app initially appeared benign but later introduced malicious code through an update, demonstrating the adaptability and persistence of the threat actors.
An intriguing aspect of this campaign is the customisation of the malicious AccessibilityService code, specifically targeting Samsung devices. While this phase of the campaign impacts only Samsung users, analysts warn of the potential for threat actors to adapt and broaden their focus to include other device manufacturers.
To avoid immediate detection, the threat actors implemented a multi-staged approach in the latest version of the Anatsa dropper. By dynamically retrieving configuration and malicious executable files from their command and control (C2) server, the actors successfully spread malicious indicators across several stages. This method involves a sequence of steps, including downloading configuration files, dynamically loading DEX files, and redirecting control flow to execute payload installations.
The researchers advised the financial organisations to be alert and avoid installing any applications from third-party websites. They have also asked users to enable AccessibilityService for unnecessary applications.
Researchers have also anticipated that the campaign will continue to run new droppers appearing in official stores and new countries being targeted in the future.
In the News: Google launches AI Cyber Defense Initiative for AI-led cybersecurity solutions