Anatsa

Malware Profile Updated 2 days ago
Download STIX
Preview STIX
Anatsa, a sophisticated Android banking trojan, has been causing significant concern across Europe. Often disguised as an innocuous file-management app, Anatsa is delivered to Android devices through multi-stage droppers on Google Play, leading to high infection rates. According to ThreatFabric, the malware's operators have rapidly expanded their area of interest across the Atlantic Ocean, following in the footsteps of other prominent Malware-as-a-Service (MaaS) families such as Octo, Hydra, and Hook. In a campaign tracked by ThreatFabric during the first half of 2023, the threat actors managed to accumulate over 130,000 installations of its weaponized droppers for Anatsa from Google's mobile app store. The malware's reach continues to grow, with ThreatFabric reporting that Anatsa is now targeting users in Czechia, Slovakia, and Slovenia, among others. This follows previous attacks against the U.S., Switzerland, and the UK. The speed at which the threat actors return with a new dropper after the previous one is removed has been noted as particularly concerning; it can take them just days or weeks to publish a new dropper application on the store. At the time of writing, a new Anatsa dropper had been discovered and was still available online. For the latest campaign, the operator of Anatsa chose to use a total of five droppers disguised as free device-cleaner apps, PDF viewers, and PDF reader apps on Google Play. These droppers dynamically retrieve files from the Command and Control (C2) server, including configuration info for a malicious DEX file used for distributing Android application code; a DEX file itself with malicious code for payload installation; and finally code for downloading and installing Anatsa on the device. Researchers from ThreatFabric have been monitoring Anatsa since its initial discovery and spotted this new wave of attacks beginning in November 2023.
What's your take? (Question 1 of 5)
2511b8a9-110c-47a8-a822-4970d3b07097 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Teabot
4
TeaBot, also known as Anatsa, is a sophisticated Android banking Trojan that has been active in the malware landscape. It was among the most notorious banking malware families for Android in 2022 alongside Hydra, Flubot, and Sharkbot. Measured by the number of banks targeted, TeaBot ranks alongside
Toddler
2
The malware known as "Toddler," also referred to as Anatsa or TeaBot, first emerged in early 2021. It was typically disguised as harmless utility apps such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to steal users' credentials. However, a resurgence of
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Malware
Android
Fraud
Google
Threatfabric
Banking
Dropper
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Anatsa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
2 days ago
90+ Malicious Apps Totaling 5.5M Downloads Lurk on Google Play
CSO Online
a year ago
New Android banking trojan targets US, UK, and Germany
InfoSecurity-magazine
3 months ago
Anatsa Banking Trojan Resurfaces, Targets European Banks
Securityaffairs
3 months ago
Anatsa Android banking Trojan expands to new countries
InfoSecurity-magazine
a year ago
Anatsa Banking Trojan Targets Banks in US, UK and DACH Region
CERT-EU
a year ago
This Dangerous Android Trojan Performs On-Device Fraud to Steal Your Money
CERT-EU
a year ago
Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland
DARKReading
3 months ago
New Wave of 'Anatsa' Banking Trojans Targets Android Users in Europe
CERT-EU
a year ago
New Anatsa campaign hitting banks in US, UK and DACH countries
CERT-EU
10 months ago
How Malicious Android Apps Slip Into Disguise
Krebs on Security
10 months ago
How Malicious Android Apps Slip Into Disguise
CERT-EU
a year ago
Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland
BankInfoSecurity
3 months ago
Breach Roundup: More Fallout From the LockBit Takedown
CERT-EU
a year ago
Anatsa Malware Spotted on Google Play Attack Banking Customers | IT Security News
CERT-EU
3 months ago
More countries targeted by Anatsa banking trojan
CERT-EU
a year ago
Cyber security week in review: June 30, 2023
CERT-EU
3 months ago
Mastering proactive cybersecurity: Automated endpoint management and vulnerability remediationsĀ 
CERT-EU
8 months ago
How cybercriminals evade mobile app store security measures
CERT-EU
a year ago
Mexico-Based Hacker Targets Global Banks with Android Malware
InfoSecurity-magazine
2 days ago
TeaBot Banking Trojan Activity on the Rise, Zscaler Observes