Anatsa

Malware updated 23 days ago (2024-11-29T14:19:33.568Z)
Download STIX
Preview STIX
Anatsa, a sophisticated Android banking trojan, is a malware designed to exploit and damage your device while stealing user financial data. It often masquerades as an innocuous file-management app to trick users into downloading it. Once installed, Anatsa downloads a target list of financial apps from the command-and-control (C2) server and checks if these apps are installed on the device. It then requests various permissions, including SMS and accessibility options, and establishes communication with the C2 server to carry out activities such as registering the infected device and retrieving a list of targeted applications for code injections. The malware utilizes a multi-stage approach to infect Android devices. Initially, it uses remote payloads retrieved from C2 servers to carry out further malicious activity. The droppers on Google Play deliver Anatsa onto Android devices in stages, contributing to relatively high infection rates. In addition, two specific Anatsa payloads were observed being distributed via apps impersonating PDF and QR-code reader applications. This strategic approach allows the malware to be uploaded to the official Google Play Store and evade detection. Despite Google's efforts to block malicious apps, Anatsa employs an attack vector that can bypass these protections. The malware, which can extract data from more than 650 financial apps, initially targeted Android users in Europe but has expanded its focus to include banking apps in the US and UK. Zscaler's analysis revealed that tools like those behind Anatsa are the most commonly used to hide malware on the mobile app store, followed by personalization and photography apps. Other impactful malwares currently being distributed on Google Play include Joker fleeceware, the credential-stealing Facestealer, and various types of adware.
Description last updated: 2024-07-17T20:16:01.125Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Teabot is a possible alias for Anatsa. TeaBot, also known as Anatsa, is a sophisticated malware that has been impacting Android devices. It first emerged as a significant threat in 2022 when it was identified as one of the most active banking malware families alongside Flubot, Sharkbot, and Hydra. TeaBot, along with other notable banking
4
Toddler is a possible alias for Anatsa. The malware known as "Toddler," also referred to as Anatsa or TeaBot, first emerged in early 2021. It was typically disguised as harmless utility apps such as PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to steal users' credentials. However, a resurgence of
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Trojan
Malware
Android
Fraud
Banking
Google
Dropper
Threatfabric
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Anatsa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Malwarebytes
10 months ago
DARKReading
5 months ago
DARKReading
7 months ago
InfoSecurity-magazine
7 months ago
CERT-EU
10 months ago
BankInfoSecurity
10 months ago
DARKReading
10 months ago
CERT-EU
10 months ago
InfoSecurity-magazine
10 months ago
Securityaffairs
10 months ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Krebs on Security
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago