The Android banking Trojan Anatsa has been installed over 30,000 times since March by multiple ongoing dropper campaigns, according to ThreatFabric’s research. Droppers are Trojans that install malware on devices. Anatsa, a Trojan dropper, is disguised inside other programs, and when clicked on installs and infects the device with malware.

ThreatFabric, which has been monitoring Anatsa since 2020, says it has seen multiple changes in Anatsa’s activity and areas of interest, with continuous updates of targets. The dropper delivering Anatsa was first identified by ThreatFabric researchers on the Google Play Store in March 2023. It was removed, but bad actors quickly replaced it with another application. This process was repeated over a period of four months in which five droppers were published on the store.

“The threat actors behind this new wave of Anatsa showed interest in new institutions from the US, UK, and DACH region. Our fraud intelligence platform was able to confirm this dangerous malware family adding multiple Android banking apps from these regions as new targets,” the company says.

German-speaking countries

At the time of writing, almost 600 global financial applications have been targeted, with a special focus on German-speaking countries. And more than 90 new applications have been targeted since August last year.

“We see a strong shift towards targeting banking institutions in the DACH region, specifically in Germany,” ThreatFabric observes, and believes that dropper malware campaigns will continue to increase.

In the evolving threat landscape, ThreatFabric has found that the top 10 countries with the most fraudulent applications on Android apps are:

1. US
2. Italy
3. Germany
4. UK
5. France
6. United Arab Emirates
7. Switzerland
8. Republic of Korea
9. Australia
10. Sweden

Looking at the whole Android malware threat landscape, Spain, Turkey, and Poland were the most targeted countries last year, according to ThreatFabric’s The State of Android (Banking) Malware report. Least targeted were Russian speaking countries.

Kill chain

ThreatFabric says that Anatsa has “very advanced Device-Takeover capabilities”, which are able to bypass many fraud control mechanisms. When the Trojan has successfully infected a device, it steals the victim’s credentials, credit card details, balance and payment information in order to make fraudulent transactions. And because transactions are being made from the same device, banks’ anti-fraud systems are finding it very challenging to detect the fraud.

“We see a strong shift towards targeting banking institutions in the DACH region, specifically in Germany.”

ThreatFabric

Anatsa’s fraud kill chain, step by step, has been identified as:

1. Infection with a dropper on Google Play.
2. Stealing data (overlays and keylogging).
3. Connecting remotely to the infected device/Device takeover.
4. Opening and logging into a banking app to make transactions.
5. Exfiltrating money through cryptocurrencies and local mules in targeted countries.

With malware types continuing to increase, especially with focus shifting from desktop to mobile, ThreatFabric also warns about the speed of new droppers expanding. “We want to highlight the speed with which the actors return with a new dropper after the previous one is removed: it takes anywhere from a couple of days to a couple of weeks to publish a new dropper application on the store.”

Another noted worrying trend is the emerging new threat Everything-as-a-Service (XaaS), a comprehensive package of tools and services, including pre-built malware, where criminals can purchase a complete malware product without needing the technical expertise.