Anatsa Android Trojan Targets Victims in the US and Europe

android smartphone

A recent Android malware campaign has been identified, aiming to distribute the Anatsa banking trojan and target customers of financial institutions in the United States, United Kingdom, Germany, Austria, and Switzerland since March 2023.

According to ThreatFabric, the group behind Anatsa intends to steal login credentials used in mobile banking apps and engage in Device-Takeover Fraud (DTO) to carry out fraudulent transactions. The cybersecurity company mentioned that dropper apps infected with Anatsa, which were found on the Google Play Store, have already amassed over 30,000 installations. This indicates that the official app store has become an effective means of distributing the malware.

Anatsa, also known as TeaBot and Toddler, initially emerged in early 2021 and has been observed disguising itself as harmless utility apps like PDF readers, QR code scanners, and two-factor authentication (2FA) apps on the Google Play Store to extract users' credentials. It has since become one of the most widespread banking trojans, targeting more than 400 financial institutions worldwide.

The trojan possesses backdoor-like capabilities to extract data and utilizes overlay attacks to steal credentials and record user activities by exploiting Android's accessibility services API. Moreover, it can bypass existing fraud control measures to execute unauthorized fund transfers.

ThreatFabric pointed out that detecting Anatsa has proven challenging for banking anti-fraud systems since the fraudulent transactions are initiated from the same device regularly used by the targeted bank customers.

Anatsa's Mode of Operation

In the recent campaign observed by ThreatFabric, the dropper app, once installed, sends a request to a GitHub page that redirects to another GitHub URL hosting the malicious payload. The goal is to deceive victims by presenting themselves as app add-ons. It is suspected that users are directed to these apps through suspicious advertisements.

A notable characteristic of the dropper is its exploitation of the restricted "REQUEST_INSTALL_PACKAGES" permission, which has been repeatedly abused by malicious apps distributed through the Google Play Store to install additional malware on infected devices. The names of the five dropper apps used in this campaign are as follows:

  • All Document Reader & Editor (com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs)
  • All Document Reader and Viewer (com.muchlensoka.pdfcreator)
  • PDF Reader - Edit & View PDF (lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools)
  • PDF Reader & Editor (com.proderstarler.pdfsignature)
  • PDF Reader & Editor (moh.filemanagerrespdf)


All of these dropper apps have been updated after their initial release, likely as an attempt to stealthily introduce malicious functionality after successfully passing the app review process during the first submission.

The countries of significant interest to Anatsa, based on the number of targeted financial applications, include the United States, Italy, Germany, United Kingdom, France, United Arab Emirates, Switzerland, South Korea, Australia, and Sweden. Finland, Singapore, and Spain are also mentioned in the list of targeted countries.

By Zaib
June 27, 2023
Computer Security
English
June 27, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Malware

Nerbian RAT Targets Victims in Europe

A new strain of malware has recently been documented by security researchers. The threat was called Nerbian and exhibits features typical of remote access trojan, hence the full name Nerbian RAT. Perhaps a little late... Read more

May 12, 2022
Android Malware

Anatsa Android Malware Uses Fake Delivery Notifications to Infect Victims

The Anatsa Malware is a banking Trojan targeting Android devices. It is believed to be linked to the criminals behind the Cabassous Malware, also called FluBot, but it is the more dangerous out of the two families.... Read more

May 12, 2021
Android Malware

BianLian Android Banking Trojan

BianLian is the name of a banking trojan malware that targets Android devices. The malware has been around for a while and has received a number of updates and upgrades to its malicious capabilities. The malware has... Read more

June 10, 2022
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.