The Nigerian Computer Emergency Response Team (ngCERT) has identified a new and dangerous version of the Anatsa banking trojan, which is currently targeting Android devices.
This sophisticated malware is designed to steal banking credentials and financial information from unsuspecting users.
Disguised as legitimate PDF and QR code readers, the trojan employs advanced techniques to bypass security measures and display fake login screens.
So far, over 70,000 devices have been infected through various apps on the Google Play Store.
According to ngCERT, the Anatsa banking trojan leverages Android’s accessibility services to gain full control over infected devices, allowing attackers to carry out fraudulent transactions.
“The trojan is delivered through malicious apps that appear to be legitimate PDF and QR code readers or cleaner apps,” noted ngCERT.
“These apps initially behave normally until they secretly download, decrypt, and execute the trojan’s payload, which bypasses the restricted settings for accessibility services, mostly in Android 13.”
The trojan then establishes a connection with its command and control (C2) server and waits for instructions from the attacker, ngCERT added.
“The trojan is capable of stealing the user’s banking credentials, credit card details, and payment information by overlaying fake login screens on top of legitimate banking apps and by recording keystrokes.”
The trojan can “prevent the user from interacting with certain apps that are defined by the attacker and can download, upload, delete, install, and find files on the device.”
Upon successful installation, the Anatsa trojan allows attackers to remotely interact with the device, launch phishing attacks to steal sensitive financial information, block access to legitimate applications such as security apps or system settings, and manipulate files on the device.
To prevent or mitigate the infection, ngCERT recommends that Android users exercise caution when downloading apps. Users should “avoid installing apps from unknown or untrusted sources and check the reviews and ratings of the apps before downloading them from the Google Play Store.”
It is also advisable to “avoid calling numbers provided in unsolicited messages or emails and be wary of apps that ask for unnecessary or excessive permissions, such as accessibility services or installation of unknown apps.”
If an app suspected to contain the Anatsa trojan is found, it should be uninstalled immediately, and the device should be scanned with a reputable antivirus app.
Users should also “change the banking passwords and monitor the account activity for any suspicious transactions and report them to the respective banks.”
Using and keeping antivirus software updated to detect and remove malware, as well as ensuring that the Android device and apps are updated to the latest versions, are key in protecting against this threat.
