Go to listing page

Malvertising Campaigns on the Rise: Anatsa Malware Targets over 600 Banking Applications

Malvertising Campaigns on the Rise: Anatsa Malware Targets over 600 Banking Applications
Security researchers from ThreatFabric have stumbled across a new mobile malware campaign targeting online banking customers in the U.S., the U.K, Germany, Austria, and Switzerland. The campaign, active since March, utilizes the Anatsa Android banking trojan embedded within utility apps on the Google Play Store.

The malvertising campaign

The ThreatFabric team uncovered the ongoing attack, dubbed Anatsa, that approximately targets 600 financial apps from various global banking institutions.
  • The malicious apps carrying the malware masquerade as PDF viewers, editor apps, office suites, and add-ons to the original application.
  • For instance, a dropper app was found disguised as a text recognizer add-on for Adobe Illustrator, hosted on GitHub.
  • Security experts noted that these apps were initially submitted to Google Play in a clean and harmless form. However, they were later updated with malicious code.
  • The malware has already amassed over 30,000 installations.

With that said, let’s understand how a typical malvertising campaign works.

Workflow of a typical malvertising campaign

  • It begins with infecting users' devices with info-stealer malware. 
  • Subsequently, the malware proceeds to gather and extract user credentials. 
  • Stolen credentials are used in further attacks, such as phishing, or for making unauthorized transactions (like in the Anatsa campaign). Many a time, stolen credentials are sold through underground forums.  
  • Adversaries leverage these credentials to gain unauthorized access to networks and carry out malicious activities.

Some ransomware groups, such as the Royal ransomware group, have been observed to run malvertising campaigns on their own while other threat actors rely on Initial Access Brokers (IABs) and other groups specialized in malvertising.

Capabilities of Anatsa

  • Anatsa can gather financial information such as bank account credentials, credit card details, and payment information.
  • It accomplishes this via phishing pages on top of legitimate banking apps and keylogging techniques.

Criminals use the stolen data to perform on-device transactions. Since these transactions originate from the users’ devices and resemble normal transaction processes, it doesn’t raise any suspicion for banking anti-fraud systems to detect.

Growing cases of malvertising

Recent findings from the Malwarebytes Threat Intelligence team revealed that there have been more than 800 malvertising-related (officially recorded) attacks in 2023 thus far. Most malvertising ads were used as a medium to deliver infostealer malware, including the variants of IcedID, Aurora Stealer, and BATLOADER, among others.

Detection remains a challenge

Detecting these malvertising attack campaigns remain one of the major challenges for organizations on their way to safeguarding themselves.
  • Highly sophisticated campaigns impersonate official brand names and websites within ad snippets, making their attacks highly deceptive and challenging for the average user to suspect.
  • Even experts at Google face challenges in detecting malicious redirects within advertisements, urging the need for advanced tools to effectively identify such threats.

Stay safe

Organizations can prevent malvertising attacks by using strong antivirus solutions, keeping software up to date, and using an ad-blocker. Besides, one must deploy web protection applications to detect and block connections established with malicious servers. Meanwhile, mobile users need to exercise caution with app installations. They must carefully proceed to download apps that have a low number of installs and limited reviews.
Cyware Publisher

Publisher

Cyware