Anatsa

Malware updated 4 months ago (2024-07-17T20:17:39.234Z)

Download STIX

Preview STIX

Anatsa, a sophisticated Android banking trojan, is a malware designed to exploit and damage your device while stealing user financial data. It often masquerades as an innocuous file-management app to trick users into downloading it. Once installed, Anatsa downloads a target list of financial apps from the command-and-control (C2) server and checks if these apps are installed on the device. It then requests various permissions, including SMS and accessibility options, and establishes communication with the C2 server to carry out activities such as registering the infected device and retrieving a list of targeted applications for code injections. The malware utilizes a multi-stage approach to infect Android devices. Initially, it uses remote payloads retrieved from C2 servers to carry out further malicious activity. The droppers on Google Play deliver Anatsa onto Android devices in stages, contributing to relatively high infection rates. In addition, two specific Anatsa payloads were observed being distributed via apps impersonating PDF and QR-code reader applications. This strategic approach allows the malware to be uploaded to the official Google Play Store and evade detection. Despite Google's efforts to block malicious apps, Anatsa employs an attack vector that can bypass these protections. The malware, which can extract data from more than 650 financial apps, initially targeted Android users in Europe but has expanded its focus to include banking apps in the US and UK. Zscaler's analysis revealed that tools like those behind Anatsa are the most commonly used to hide malware on the mobile app store, followed by personalization and photography apps. Other impactful malwares currently being distributed on Google Play include Joker fleeceware, the credential-stealing Facestealer, and various types of adware.

Description last updated: 2024-07-17T20:16:01.125Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Teabot is a possible alias for Anatsa. TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable banking	4
Toddler is a possible alias for Anatsa. The malware known as "Toddler," also referred to as Anatsa or TeaBot, first emerged in early 2021. It was typically disguised as harmless utility apps such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to steal users' credentials. However, a resurgence of	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Trojan

Malware

Android

Fraud

Banking

Google

Dropper

Threatfabric

Exploit

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Anatsa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Malwarebytes	9 months ago	Android banking trojans: How they steal passwords and drain bank accounts
DARKReading	4 months ago	'BadPack' APK Files Make Android Malware Hard to Detect
DARKReading	6 months ago	90+ Malicious Apps Totaling 5.5M Downloads Lurk on Google Play
InfoSecurity-magazine	6 months ago	TeaBot Banking Trojan Activity on the Rise, Zscaler Observes
CERT-EU	9 months ago	Mastering proactive cybersecurity: Automated endpoint management and vulnerability remediations
BankInfoSecurity	9 months ago	Breach Roundup: More Fallout From the LockBit Takedown
DARKReading	9 months ago	New Wave of 'Anatsa' Banking Trojans Targets Android Users in Europe
CERT-EU	9 months ago	More countries targeted by Anatsa banking trojan
InfoSecurity-magazine	9 months ago	Anatsa Banking Trojan Resurfaces, Targets European Banks
Securityaffairs	9 months ago	Anatsa Android banking Trojan expands to new countries
InfoSecurity-magazine	a year ago	India Faces Surge in IM App Attacks With Trojan Campaigns
CERT-EU	a year ago	How cybercriminals evade mobile app store security measures
BankInfoSecurity	a year ago	Xenomorph Android Malware Campaign Targets US Banks
CERT-EU	a year ago	Xenomorph Android Banking Trojan Makes Landfall in US
CERT-EU	a year ago	Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted
CERT-EU	a year ago	New ‘MMRat’ Android Trojan Targeting Users in Southeast Asia
Krebs on Security	a year ago	How Malicious Android Apps Slip Into Disguise
CERT-EU	a year ago	How Malicious Android Apps Slip Into Disguise
CERT-EU	a year ago	Mexico-Based Hacker Targets Global Banks with Android Malware
CERT-EU	a year ago	Cyber security week in review: June 30, 2023