Mobile banking malware growing rapidly, ThreatFabric warns

Online payment fraud prevention provider ThreatFabric has shared research on the return of the Anatsa trojan virus, which is expanding its reach in Europe. It also shared a post explaining how its Fraud Kill Chain can find gaps in mobile malware detection.

Anatsa banking trojan returns in Europe

ThreatFabric has been monitoring the Anatsa trojan virus campaign since its Mobile Threat Intelligence team detected a reappearance of the Anatsa banking trojan campaign in November of 2023. Over four months, it saw five different waves of the campaign, each targeting a different region. It shared its findings in a blog post.

The virus, which is one of the most prolific, has expanded into Slovakia, Slovenia, and Czechia after formerly targeting the UK, Germany, and Spain.

The campaign promotes dropper applications on Google Play in target areas that often rank high in popularity, increasing credibility. Some droppers exploit the AccessibilityService.

All droppers download configuration and malicious executable files from their C2 server, allowing bad actors to make modifications as needed. They have the capacity to bypass restricted settings for AccessibilityService in Android 13.

One supposed cleaner app that was found in November claimed to require AccessibilityService. Initially, the app had no malicious code, but an update introduced malicious code, which altered the Accessibility Service functionality, allowing it to execute actions such as automatically clicking buttons when it received a configuration from the C2 server.

Hackers tailored the malicious code for one phase specifically for the UI elements of Samsung devices. Future adaptations may target other manufacturers.

The five droppers monitored in this report had over 100,000 installations over the course of four months.

Individuals can protect themselves by being cautious of what apps they download and whether or not they should enable AccessibilityService for an app to be able to conduct its operations.

Fraud Kill Chain can identify gaps in mobile detection

The Fraud Kill Chain can find detection opportunities and gaps to combat mobile banking malware. ThreatFabric highlighted the most commonly found gaps in detection in a recent post.

The number of banking malware families has steadily been on the rise for years. In 2023, ThreatFabric found 75 families, 26 of which had device takeover capabilities. Most were delivered through official app stores.

Attackers use a wide variety of tactics, techniques and procedures, giving a wide range of opportunities for detection, but such detection requires sensors and processes in digital channels.

ThreatFabric’s research found three major gaps in detection. There is a major detection gap into mobile channels in particular. There is also a lack of visibility with the user journey. The third most common gap is visibility on device risk.

Anti-fraud teams should alleviate these gaps by checking detection processes for mobile visibility, user session visibility, and device risk visibility. Using Fraud Kill Chain mapping can help teams identify issues in their attack chain. They should consider adding detection technology to mitigate any found gaps and stay up to date with evolving threats to mobile.

Earlier this year, ThreatFabric was recognized by Gartner as a Sample Vendor for Cyberfraud Fusion in its Emerging Tech Impact Radar: Security report. ThreatFabric CEO Han Sahin noted the importance of behavioral biometrics, recently added to its anti-fraud technology suite, in the company announcement of the recognition.

ThreatFabric raised €11.5 million in seed funding last year to expand its behavioral biometrics and fraud protection capabilities.

Article Topics

Android  |  banking  |  biometrics  |  malware  |  mobile banking  |  ThreatFabric