Verticals Targeted: Financial
Executive Summary
Anatsa is a banking trojan targeting Android devices that is distributed through the Google Play store, disguised as a seemingly innocuous app.
Key Takeaways
- Anatsa is a banking trojan targeting Android devices that has been active since at least 2020.
- Anatsa is distributed through the Google Play store disguised as a seemingly innocuous app.
- Anatsa possesses advanced device takeover capabilities and can bypass a variety of fraud control mechanisms.
- Anatsa infections have led to real loss and fraud in multiple cases.
What is Anatsa?
ThreatFabric recently reported on Anatsa, a banking trojan targeting Android devices, that has been active since at least 2020. Anatsa is distributed through the Google Play store, disguised as a seemingly innocuous app. At this time, over 30000 devices have installed Anatsa. Anatsa has targeted users in the US, the UK, and the DACH region of Europe (Germany, Austria, and Switzerland). ThreatFabric researchers were able to confirm the Anatsa infections have led to real loss and fraud in multiple cases.
Anatsa possesses advanced device takeover capabilities and can bypass a variety of fraud control mechanisms. Anatsa is delivered via malicious versions of applications, with over 90 applications affected. While Anatsa heavily targets users in the US, UK, and DACH region, other applications carrying Anatsa indicate the threat actors may be planning to expand their targeting to Spain, Finland, South Korea, and Singapore.
The Anatsa campaign reported by ThreatFabric began in March 2023. This appeared to be renewed activity following a six-month hiatus of Anatsa activity. The dropper analyzed masqueraded as a PDF reader application. When a user installs the application, it makes a request to a GitHub page, allowing the dropper to obtain the URL for the payload download. The payloads posed as add-ons to the original app. Since the app is installed as a file management-related application, it has additional capabilities and permissions compared to other apps. Therefore, when the additional malicious code is downloaded, it does not require additional permissions. ThreatFabric discovered at least five different droppers between March and June 2023.
Anatsa’s “fraud kill chain” begins with app distribution via the Google Play store. Victims are often lured by advertisements that link to the app store. Post-infection, Anatsa can collect a variety of victim information, including credentials, credit card information, and balance and payment information, using overlay attacks and keylogging. Anatsa also has device takeover fraud capabilities, allowing the threat actors to perform transactions on the victim's device. Since the transaction is initiated from a trusted device, a financial institution’s anti-fraud systems are unlikely to detect the transaction as suspicious.
IOCs
PolySwarm has a sample associated with Anatsa.
7231546ee377738cbe9075791eb6e76b7bc163c1b91831e05e81b4756fff4028
You can use the following CLI command to search for all Anatsa samples in our portal:
$ polyswarm link list -f Anatsa
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports