At the time of Zscalers analysis, these two apps had already accumulated 70,000 installations.
Anatsa banking malware uses a dropper technique, where the initial software appears clean to users upon installation.
It utilizes remote payloads retrieved from command-and-control (C2) servers to carry out further malicious activity.
Upon successful verification, it proceeds to download the third stage and final payload from the remote server.
Further, the payload decrypts the DEX file during runtime using a static key embedded within the code.
If any target app is found, the malware communicates this information to the C2 server.
In response, the C2 server provides a fake login page for the banking app.
The threat actors behind Anatsa exfiltrated data by targeting applications from over 650+ financial institutions, primarily in Europe.
source: www.techworm.net
