An ongoing malware campaign has been pushing the Android banking Trojan, Anatsa, to online banking customers in the US, the UK, Germany, Austria, and Switzerland, according to research by cybersecurity firm ThreatFabric.\n\nThe threat actors are distributing their malware via the Play Store, and already had over 30,000 installations as of March. The focus of the ongoing campaign is banks from US, UK, and DACH, while the target list of the malware contains almost 600 financial applications from all over the world, ThreatFabric said in its research.\n\n\u201cThreatFabric is aware of multiple confirmed fraud cases, with confirmed losses caused by Anatsa, due to the Trojan\u2019s very advanced device takeover capabilities, which are able to bypass a wide array of existing fraud control mechanisms,\u201d ThreatFabric said.\n\nMultiple droppers on Google Play in four months\n\nIn March, the threat actors launched a new malvertising campaign that would entice victims to download Anatsa dropper apps from Google Play. Researchers identified the dropper application on the Google Play Store used to deliver Anatsa on infected devices, posing as a PDF-reader application. \n\n\u201cOnce installed, such an application would make a request to a page hosted on GitHub, where the dropper would get the URL to download the payload (also hosted on GitHub). The payloads would masquerade as an add-on to the original application (similar to what we have seen in previous campaigns),\u201d ThreatFabric said.\n\nShortly after the researchers reported this dropper to Google, it was removed from the store. However, within a month the actors published another dropper, posing as a PDF viewer. \n\n\u201cIt was the continuation of the same campaign, as the payloads used in it were the same, still masquerading as an add-on,\u201d ThreatFabric said. Google also removed this dropper. However, the attackers soon appeared back with a new dropper. \n\nThe same was repeated twice. Another dropper appeared within a month after the previous one was removed. Researchers discovered three more droppers in May and June. \n\n\u201cWe want to highlight the speed with which the actors return with a new dropper after the previous one is removed: it takes anywhere from a couple of days to a couple of weeks to publish a new dropper application on the store,\u201d ThreatFabric said, adding that at the time of writing, a new Anatsa dropper was discovered, and it is still online.\n\nEvery dropper was updated sometime after the publication date, indicating that the threat actor is adding malicious functionality.\n\nThreat actors start with the distribution phase where the payload is delivered through malicious apps on Google Play Store. Victims are routed there through advertisements, which look less suspicious to them as they lead to the official store.\n\nOnce the device is infected, Anatsa can collect sensitive information such as credentials, credit card details, balance, and payment information via overlay attacks and keylogging.\n\n\u201cAnatsa provides them with the capability to perform Device-Takeover Fraud (DTO), which then leads to performing actions (transactions) on the victim\u2019s behalf,\u201d ThreatFabric said. \n\nNew targets and focus on financial institutions\n\nAnatsa\u2019s activity was first discovered in 2020. There have been multiple changes in the actor\u2019s areas of interest over the years, with continuous updates to its target list.\n\n\u201cThis campaign is no exception: we see a strong shift towards targeting banking institutions in the DACH region, specifically in Germany,\u201d ThreatFabric said. The company\u2019s researchers observed three new German banking applications added to Anatsa\u2019s overlay target list during the current campaign. \n\nThe list of targeted applications included more than 90 new targeted applications compared to last year in August. The updated list included targets from Germany, Spain, Finland, South Korea, and Singapore.\n\n\u201cWhile the droppers are not distributed in all of these countries, it definitely reveals plans to target those regions,\u201d ThreatFabric said.