If you are like most Americans, most of your banking is probably done online, and if you use your Android device beware. The malicious Anatsa banking trojan has resurfaced in several countries, including the United States. The malicious app can steal your banking credentials, credit card details, and payment information by displaying fake login screens and recording keyboard strokes.

Anatsa is not a new threat, as it was first discovered in late 2021 by security researchers at ThreatFabric. The apps that carry the Anatsa trojan are disguised as office or productivity tools, such as PDF readers, editors, or scanners. They appear to be harmless at first, but they secretly download the malicious payload from GitHub after installation. The payload then asks for various permissions, such as accessibility services, device administrator, and installation of unknown apps.

Risks:
Once Anatsa gains access to your device, it can monitor your activities and launch phishing attacks when you try to open a legitimate banking app. It can also initiate fraudulent transactions from your device without your knowledge or consent. According to ThreatFabric, the current variant of Anasta-infected apps has been downloaded over 30,000 times from the Google Play Store.

Recommendation:
Malicious software like Anasta highlights the need for caution when downloading applications from the app store. The best way to prevent Anasta from infecting your device is to avoid installing apps from unknown or untrusted sources. Users should also check the reviews and ratings of the apps before downloading them from the Google Play Store. Be wary of apps that ask for unnecessary or excessive permissions, such as accessibility services or installation of unknown apps. You can review and revoke these permissions in your device settings.
If you suspect that you have installed an app that contains Anasta, you should uninstall it immediately and scan your device with a reputable antivirus app. You should also change your banking passwords and monitor your account activity for any suspicious transactions.

To read more about the topic, click here.

Chad Robinson
CISO/VP of Advisory
Secure Cyber Defense