Anatsa

Malware Profile Updated 10 days ago
Download STIX
Preview STIX
Anatsa, a sophisticated Android banking trojan, is a malware designed to exploit and damage your device while stealing user financial data. It often masquerades as an innocuous file-management app to trick users into downloading it. Once installed, Anatsa downloads a target list of financial apps from the command-and-control (C2) server and checks if these apps are installed on the device. It then requests various permissions, including SMS and accessibility options, and establishes communication with the C2 server to carry out activities such as registering the infected device and retrieving a list of targeted applications for code injections. The malware utilizes a multi-stage approach to infect Android devices. Initially, it uses remote payloads retrieved from C2 servers to carry out further malicious activity. The droppers on Google Play deliver Anatsa onto Android devices in stages, contributing to relatively high infection rates. In addition, two specific Anatsa payloads were observed being distributed via apps impersonating PDF and QR-code reader applications. This strategic approach allows the malware to be uploaded to the official Google Play Store and evade detection. Despite Google's efforts to block malicious apps, Anatsa employs an attack vector that can bypass these protections. The malware, which can extract data from more than 650 financial apps, initially targeted Android users in Europe but has expanded its focus to include banking apps in the US and UK. Zscaler's analysis revealed that tools like those behind Anatsa are the most commonly used to hide malware on the mobile app store, followed by personalization and photography apps. Other impactful malwares currently being distributed on Google Play include Joker fleeceware, the credential-stealing Facestealer, and various types of adware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Teabot
4
TeaBot, also known as Anatsa, is a sophisticated Android banking Trojan that targets applications from over 650 financial institutions. It was first observed to use second-stage dropper applications that appear benign to users, deceiving them into installing the payload. TeaBot utilizes remote paylo
Toddler
2
The malware known as "Toddler," also referred to as Anatsa or TeaBot, first emerged in early 2021. It was typically disguised as harmless utility apps such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to steal users' credentials. However, a resurgence of
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Malware
Android
Fraud
Google
Threatfabric
Banking
Dropper
Exploit
Zscaler
Maas
Payload
Uk
Phishing
Malvertising
Macos
Imessage
Chrome
Gbhackers
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CerberusUnspecified
1
Cerberus is a type of malware, a harmful software designed to exploit and damage systems. It has been found to be associated with various platforms and versions of Siemens Cerberus PRO UL, including the Compact Panel FC922/924 and the Engineering Tool, all versions prior to MP4. Additionally, Cerber
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BianlianUnspecified
1
BianLian is a threat actor that has been increasingly active in cybercrimes. The group is known for its malicious activities, including the execution of actions with harmful intent. In a series of recent events, BianLian has exploited vulnerabilities in JetBrains TeamCity, a continuous integration a
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Anatsa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
10 days ago
'BadPack' APK Files Make Android Malware Hard to Detect
DARKReading
2 months ago
90+ Malicious Apps Totaling 5.5M Downloads Lurk on Google Play
InfoSecurity-magazine
2 months ago
TeaBot Banking Trojan Activity on the Rise, Zscaler Observes
CERT-EU
5 months ago
Mastering proactive cybersecurity: Automated endpoint management and vulnerability remediations 
BankInfoSecurity
5 months ago
Breach Roundup: More Fallout From the LockBit Takedown
DARKReading
5 months ago
New Wave of 'Anatsa' Banking Trojans Targets Android Users in Europe
CERT-EU
5 months ago
More countries targeted by Anatsa banking trojan
InfoSecurity-magazine
5 months ago
Anatsa Banking Trojan Resurfaces, Targets European Banks
Securityaffairs
5 months ago
Anatsa Android banking Trojan expands to new countries
InfoSecurity-magazine
8 months ago
India Faces Surge in IM App Attacks With Trojan Campaigns
CERT-EU
10 months ago
How cybercriminals evade mobile app store security measures
BankInfoSecurity
10 months ago
Xenomorph Android Malware Campaign Targets US Banks
CERT-EU
10 months ago
Xenomorph Android Banking Trojan Makes Landfall in US
CERT-EU
10 months ago
Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted
CERT-EU
a year ago
New ‘MMRat’ Android Trojan Targeting Users in Southeast Asia
Krebs on Security
a year ago
How Malicious Android Apps Slip Into Disguise
CERT-EU
a year ago
How Malicious Android Apps Slip Into Disguise
CERT-EU
a year ago
Mexico-Based Hacker Targets Global Banks with Android Malware
CERT-EU
a year ago
Cyber security week in review: June 30, 2023
CERT-EU
a year ago
Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland