ThreatFabric discovered that a phishing campaign targeting Android smartphone users has been running since March 2023.
According to Threat Fabric, hackers are currently trying to deploy a Trojan horse called Anatsa. The latter offers attacks by overlaying login screens, which make it possible to steal victims’ banking information, but also keylogging functionalities, or live streaming of what is displayed on the victim’s screen. Although the fraud was reported to Google, and the malicious apps were removed from the Play Store, the cybercriminals still managed to install their malware on nearly 30,000 devices.
To read – This mass-distributed scam brought in 3.5 million euros for hackers
The highly evolved malware takes no less than 600 banking applications for target. If it mainly targets American, British Internet users or residents of German-speaking countries. That said, no one is immune to the greed of hackers, since according to experts, they have listed Spanish, Singaporean and even Finnish institutions on their list of potential targets. The goal is always the same: the actors behind Anatsa want to steal the credentials to perform device takeover fraud.
Hackers steal banking credentials from Android smartphone users
To do this, they have put online 5 real-fake apps on the Play Store, and as you can see, they have nothing to do with finance. Here is the list:
- PDF Reader — Edit & View PDF
- PDF Reader & Editor
- PDF Reader & Editor
- All Document Reader & Editor
- All Document Reader and Viewer
If one of these five apps is (still) on your device, uninstall it immediately.
To drown even better in the mass of applications, hackers have published several on the play store under different developer accounts. Only one is real malware, the others serve as a backup in case of detection and dismantling. For ThreatFabric, “this tactic allows actors to run very long campaigns, minimizing the time needed to release another Trojan and continue the distribution campaign”.