The Anatsa banking trojan is an example of a cunning piece of malicious software that attackers use to steal sensitive information from banks and their customer’s banking accounts. It works by tricking users into downloading an app that appears legitimate but contains hidden, harmful code. In some cases, trojans can be spread through fake advertisements or by disguising themselves as popular apps, such as PDF readers. Once installed on a user’s device, trojans can operate incognito, silently seizing control of the unsuspecting victim’s banking app in multiple ways and capturing a user’s banking app credentials, such as usernames and passwords. This allows hackers to gain unauthorized access to a victim’s bank account and carry out fraudulent activities. 

Trojans such as Anatsa are a wakeup call for Android developers because they illustrate the diligence and determination of cybercriminals who seek to drain consumer bank accounts via their legitimate banking apps. You heard that right—crooks are weaponizing official banking apps against their own customers, and most victims don’t realize this is happening until it’s too late to prevent the money loss. Unfortunately, the bank’s app developers, CISOs, and SOC teams are all too often caught off guard and are powerless to detect or defend against this type of cyber attack. The most recent Anatsa banking trojan variants are even more powerful at achieving their end goals than previous versions, proving that mobile apps are not only a pathway for today’s sophisticated cybercrooks but the preferred, profitable doorway to illicit profit. 

Automated money theft via your phone’s mobile app is now a thing. Actually, it’s quite a big thing, especially if you’re in the United States, UK, Germany, Switzerland, or Austria. That’s where they’ve decided to target banking users, at least for now. And it all revolves around vulnerabilities associated with mobile apps themselves. Banking trojans stand as a virtual orchestra of tactics that ultimately seek to successfully exploit mobile apps and their connection to hard-earned funds. Just look at its stunningly comprehensive approach to “cleverness.”

Below are five tactics often employed by banking trojans in general:

  1. The creation of legit apps to initially be accepted into app stores 
  2. Subsequent updates to legit apps that then include malicious code
  3. Malvertising campaigns to instigate downloads of the malicious apps
  4. Overlay attacks to gain banking credentials for target apps
  5. On-device fraud that banks themselves find difficult to initially detect

The creation of legit apps to initially be accepted into app stores

One of the tactics employed by hackers is to develop seemingly legitimate applications that pass the vetting process of app stores. These apps may offer functionality or features that users desire, such as games, PDF readers, productivity tools, or utility applications. By initially presenting themselves as harmless, these apps gain the trust of users and are downloaded onto their devices.

Organizations should be concerned about this tactic because it allows hackers to infiltrate the app ecosystem, potentially compromising the security of users’ devices and data. Once the malicious app is installed, it can serve as a foothold for further attacks or unauthorized access to sensitive information.

Subsequent updates to legit apps that then include malicious code

Hackers often take advantage of the update mechanism of legitimate apps to introduce malicious code. After the initial version of the app has gained users’ trust and established a user base, the hackers release updates that appear to provide bug fixes, new features, or security enhancements. However, these updates may secretly include harmful code designed to exploit vulnerabilities or gain unauthorized access to the device.

This tactic should concern organizations because users typically trust app updates from reputable sources and may install them without suspicion. By compromising legitimate apps through updates, hackers can leverage the existing user base to distribute malware or collect sensitive information.

Malvertising campaigns to instigate downloads of malicious apps

Malvertising refers to malicious advertising, where hackers use legitimate-looking advertisements to trick users into clicking on them. These advertisements are often displayed on websites, mobile apps, or other digital platforms that users frequently visit. When a user interacts with the malvertisement, they may be redirected to a website or prompted to download an app containing malicious code.

Organizations should be concerned about malvertising campaigns because they can lead to the inadvertent installation of malicious apps on users’ devices. By compromising trusted advertising networks or popular websites, hackers can reach a large number of potential victims and increase the likelihood of successful infections or data breaches.

Overlay attacks to gain banking credentials for target apps

Overlay attacks are a technique where hackers create a transparent layer on top of a legitimate application’s user interface. Overlay attacks exploit 3 of the OWASP Mobile Top 10 vulnerabilities.

  • M1: Improper Credential Usage
  • M8: Security Misconfiguration
  • M9: Insecure Data Storage

When users launch a targeted app, the overlay is displayed, mimicking the app’s interface and prompting them to enter their login credentials or sensitive information. Unbeknownst to the user, this information is captured by the malicious overlay and sent to the attacker.

Organizations should be concerned about overlay attacks because they specifically target applications commonly used for financial transactions, such as banking apps. By deceiving users into providing their login credentials or financial information, hackers can gain unauthorized access to bank accounts, conduct fraudulent transactions, or steal personal data.

On-device fraud that banks themselves find difficult to initially detect

On-device fraud refers to fraudulent activities that occur directly on the user’s device, making it challenging for banks or other organizations to detect such activities immediately. Hackers may employ various techniques, such as manipulating transaction data, exploiting vulnerabilities, or using covert channels, to hide their activities from detection mechanisms.

Organizations should be deeply concerned about on-device fraud that banks find difficult to initially detect because it poses significant financial risks, reputation damage, regulatory compliance issues, and customer trust erosion. Hackers can exploit vulnerabilities, manipulate transaction data, or use covert channels to conduct fraudulent activities directly on users’ devices, resulting in financial losses for individuals and banks. The difficulty of immediate detection allows hackers to continue their attacks, escalating the risk of further compromise. This not only undermines the trust customers place in financial institutions but also raises compliance concerns and the potential for regulatory penalties. Preventing and mitigating on-device fraud requires robust security measures and proactive monitoring to safeguard customer data and financial transactions.

This concoction of tactics creates a threat that, no doubt, becomes lucrative for threat actors. And by the time they’ve received the illicit funds, they’ve been laundered through countless third parties and perhaps even transferred into crypto. There’s nothing more for victims to do than alert their financial institution, go through the process of submitting a request for a fraud investigation, and seek to regain their stolen funds. That’s costly for the bank and incredibly annoying, at best, for the user.

The Net Net

Today’s ever-advancing banking trojans employ a cacophony of cunning hacking techniques that compromise the security of the world’s top-tier banking mobile apps. While the core attack vectors have largely remained consistent over time, how the malicious code is delivered to targeted phones can vary greatly, including the use of different dropper apps. Even outdated malware can be repurposed by attackers due to the prevalence of aging smartphones. Instead of aiming for complete access to bank accounts, attackers often seek to obtain credit card numbers, personal information, or control over a victim’s phone for malicious purposes. 

Often spanning multiple countries and targeting some of the most well-known financial brands in the world, dangerous trojans underscore the critical need for effective detection methods to identify and prevent attacks on banking applications that nearly everyone relies upon today.