The online payment fraud prevention provider has shared its research on the resurgence of the Anatsa trojan virus, which targets banking apps and biometric authentication.
ThreatFabric, an online payment fraud prevention provider, has shared its research on the return of the Anatsa trojan virus, which is expanding its reach in Europe. The Anatsa trojan virus is a type of mobile banking malware that infects Android devices and steals banking credentials, payment card details, and biometric data from users. The malware also has the ability to perform on-device fraud, such as automated transfers and payments, by abusing the accessibility service and overlaying fake screens on banking apps.
ThreatFabric’s Mobile Threat Intelligence team detected the reappearance of the Anatsa trojan virus campaign in November 2023, after a period of inactivity since June 2023. The team observed five different waves of the campaign, each targeting a different region in Europe, such as France, Germany, Italy, Spain, and the UK. The malware was distributed through phishing emails, SMS messages, and malicious websites, disguised as legitimate apps or updates.
Anatsa trojan virus bypasses biometric authentication
One of the most alarming features of the Anatsa trojan virus is its ability to bypass biometric authentication, such as fingerprint or face recognition, on banking apps. The malware does this by using a fake prompt that asks the user to scan their fingerprint or face for verification, while in reality, the malware is capturing the biometric data and sending it to a remote server. The malware can then use this data to unlock the device or the banking app, and perform fraudulent transactions.
ThreatFabric’s research also revealed that the Anatsa trojan virus has a modular architecture, which allows it to update its functionalities and target new apps over time. The malware can target over 200 banking and payment apps, as well as cryptocurrency wallets, e-commerce platforms, and social media apps. The malware can also steal SMS messages, contacts, call logs, device information, and location data from the infected device.
ThreatFabric’s Fraud Kill Chain to combat mobile banking malware
ThreatFabric has also shared a post explaining how its Fraud Kill Chain can help financial institutions and online payment providers to find gaps in their mobile malware detection and prevention capabilities. The Fraud Kill Chain is a framework that maps the stages of a mobile banking malware attack, from infection to fraud execution, and identifies the possible countermeasures and solutions at each stage.
ThreatFabric’s Fraud Kill Chain consists of six stages: infection, persistence, reconnaissance, credential theft, account takeover, and on-device fraud. At each stage, ThreatFabric provides a list of indicators, challenges, and recommendations for financial institutions and online payment providers to detect and prevent mobile banking malware attacks. ThreatFabric also offers a range of products and services, such as Threat Intelligence, Threat Defense, and Threat Response, to help its clients protect their customers and assets from online payment fraud.