The long-running Android banking trojan known as Anatsa recently targeted financial institutions and banking app users in North America, researchers said.
The campaign marks at least the third time the malware has been aimed at mobile banking customers in the United States and Canada, according to Dutch cybersecurity firm ThreatFabric, which has been monitoring Anatsa’s activity since 2020.
Anatsa is capable of stealing banking credentials, logging keystrokes and carrying out fraudulent transactions directly from infected devices using remote-access tools.
Anatsa campaigns typically begin with a developer uploading a legitimate-looking Android app — such as a PDF reader or phone cleaner — to an app store, where it functions normally until it amasses thousands of downloads. At that point, an update injects devices with malicious code that installs Anatsa as a separate application on the device. The code then carries out various malicious activities, depending on the target.
In the recent campaign, the malware was embedded in a seemingly harmless file reader app roughly six weeks after its release. The malicious update was delivered to devices from June 24-30. The app ranked among the top free tools in the U.S. version of the Play Store before it was removed, accumulating more than 50,000 downloads, ThreatFabric said.
That two-stage pattern is familiar, said Randolph Barr, the CISO at application security company Cequence.
“Even savvy users may miss this, since the initial app appears clean and functional,” he said.
Researchers haven’t specified how the hackers promoted the app to achieve a wide reach. It’s also unclear how the threat actors use the stolen data, though possible scenarios include ransomware attacks or selling the information to other cybercriminals on darknet marketplaces.
A key feature of the operation was its expanded list of targets, which included a broader range of mobile banking applications in the United States, ThreatFabric said.
Banking trojans are common tools among cybercriminals, designed to steal sensitive financial information. Their deployment often leads to unauthorized transactions, account takeovers, and significant monetary losses for victims.
“Looking ahead, we’ll likely see more campaigns like this evolve further,” Barr said. “This includes things like AI-personalized malware overlays targeting specific banks or regions, modular payloads downloaded in real time post-install, attempts to bypass MFA [multi-factor authentication] via screen overlays or token theft, and even more abuse of accessibility services and session hijacking.”
Earlier in June, ThreatFabric discovered a new version of the Android banking trojan known as Crocodilus, which is spreading across Europe, South America, and parts of Asia. The malware’s latest variant can insert fake entries into victims’ contact lists, allowing attackers to impersonate trusted sources — such as bank support lines — and trick users into answering fraudulent calls, potentially bypassing fraud prevention systems that flag unknown numbers.
Jonathan Greig contributed to this story.
Recorded Future
Intelligence Cloud.
Learn more.