Android Malware Anatsa Targets 600 Financial Applications to Steal Sensitive User Information
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
Researchers at ThreatFabric have discovered a new malware campaign that has been deploying Anatsa, an Android banking trojan that collects users’ financial information. Active since March 2023, the new campaign has seen more than 30,000 installations and seems to be targeted at users in US, UK, Germany, Austria, and Switzerland.
The Netherlands-based cybersecurity company has been tracking this malware since 2020 and their modus operandi continues to be the same. The Anasta creators release dropper apps disguised as office/productivity tools like office suites and PDF readers/ editors. To avoid detection during Google’s review process, the malware creators initially submit clean apps and later update them with malicious code.
Once installed, the malware takes the user to a GitHub-hosted page where they download a Anasta payload masquerading as an add-on to the original application. Using its keylogging and overlay technique, the malware extracts all financial data including payment information, banking credentials and credit-card details.
This information is later used by cybercriminals to perform phishing attacks. ‘’Anatsa provides them with the capability to perform Device-Takeover Fraud (DTO), which then leads to performing actions (transactions) on the victim’s behalf,’’ the findings revealed. The stolen money is converted to cryptocurrency and transferred to the malware operators through an extensive network of local money mules.
Till date, the malware has successfully avoided detection by the banking anti-fraud systems as ‘’transactions are initiated from the same device that targeted bank customers regularly use,’’ revealed ThreatFabric.
On being notified by the cybersecurity researchers, Google immediately removed these infected apps from its store. However, the creators are known to immediately publish a new disguised version of the app. Thus, it is essential that before downloading any app, users should check the reviews and install well-known apps with higher number of downloads. Having a good antivirus on the device can also keep the users safe from Android malwares.
Personal Data of 2.5M Genworth Policyholders and 769K Retired California Employees and Beneficiaries Hacked
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
The data breach of MOVEit file transfer software claimed more victims. The California Public Employees Retirement system (CalPERS), US’ largest public pension fund, announced that the MOVEit hack had exposed data of nearly 769,000 retired employees and beneficiaries.
The attack did not directly compromise CalPERS internal network system, rather their outsourced partner, PBI Research Services/Berwyn Group was affected by the file transfer application’s vulnerability. Closely following CalPERS announcement, US-based Genworth Financial also revealed that the same vendor’s hacking had exposed nearly 2.5 million policyholders’ data.
On June 6, 2023, CalPERS was notified of the breach, including details of the personal information downloaded by the unauthorized threat actors. Information included first and last names, date of birth, and social security numbers. It might also include names of former or current employers, spouse or domestic partner, and child or children’s details, stated CalPERS’ notification.
Similarly, on June 16, 2023, PBI notified Glenworth of the May 29-30, 2023, data breach incident. The downloaded files included personal details of policyholders’ and insurance agents like agent ID, social security number, name, date of birth, full address, and policy number. Glenworth clarified that none of its internal network system nor business operations were affected.
Nevertheless, both CalPERS and Glenworth had deployed necessary safeguards to protect the information of affected individuals, including an offering of free credit monitoring and identity theft protection services. The organizations also announced the issuance of written letters with instructions to avail these services.
The Clop ransomware gang also known as TA505 has claimed responsibility for the MOVEit Transfer attack and threatened to expose the extracted data on their dark web site. The attack which occurred last month has already claimed several victims including BBC , Ireland’s HSE, Nova Scotia government, New York City Department of Education, among others.
