The Anatsa Android banking trojan has expanded its goal checklist and now has over 830 monetary functions in its crosshairs, cybersecurity agency Zscaler warns.
Lively since 2020, Anatsa permits its operators to take over contaminated gadgets and carry out fraudulent transactions and different varied actions on behalf of their victims.
Final 12 months, the trojan was seen focusing on over 600 monetary functions, after increasing to a number of European nations.
Now, it is usually going after cell customers in Germany and South Korea, and is focusing on over 150 new banking and cryptocurrency functions, Zscaler stories.
The malware was seen being distributed by way of decoy functions out there by way of the official Google Play retailer, a few of which have amassed over 50,000 downloads.
After set up, the decoy functions hook up with the trojan’s command-and-control (C&C) server to silently fetch a malicious payload posing as an replace.
The functions embrace a number of anti-analysis and anti-detection strategies, decrypting strings at runtime utilizing a dynamically generated Information Encryption Normal (DES) key, performing emulation and system mannequin checks, and periodically altering the bundle identify and set up hash.
As soon as up and working on a tool, Anatsa requests accessibility permissions, and routinely permits all permissions in its manifest file, which permits it to show overlays on prime of functions, tamper with notifications, and obtain and browse SMS messages.Commercial. Scroll to proceed studying.
The malware can obtain instructions from its C&C server, and shows pretend banking login pages to steal credentials. The pages for a number of the focused functions are at present incomplete, Zscaler says.
The safety agency says it recognized and reported to Google 77 nefarious functions that distributed Anatsa and different malware households and which had over 19 million collective downloads. Most of those functions distributed adware (66.4%), and the Joker malware (24.7%).
“Anatsa continues to evolve and enhance with anti-analysis strategies to raised evade detection. […] Android customers ought to at all times confirm the permissions that functions request, and be sure that they align with the supposed performance of the applying,” Zscaler notes.
Associated: Godfather Android Trojan Creates Sandbox on Contaminated Units
Associated: ‘Crocodilus’ Android Banking Trojan Permits Gadget Takeover, Information Theft
Associated: Coyote Banking Trojan First to Abuse Microsoft UIA
Associated: Google Says Android pKVM Earns Highest Degree of Safety Assurance
