Regions Targeted: US, Canada
Related Families: None
Key Takeaways
What is Anatsa?
Anatsa’s infection chain begins with seemingly benign applications, such as PDF readers or file managers, uploaded to the Google Play Store. These apps initially function as advertised, amassing thousands of downloads. After establishing a user base, malicious updates embed the Anatsa payload, often disguised as app add-ons. A notable example from the June campaign involved a PDF reader dropper that ranked among the top three “Top Free Tools” in the US Google Play Store, achieving over 50,000 downloads before removal. The dropper retrieved payload URLs from a GitHub page, enabling seamless delivery without additional permissions due to the app’s file management capabilities.
Once installed, Anatsa executes a sophisticated fraud kill chain. The trojan employs overlay attacks and keylogging to steal credentials, credit card details, and banking information. A deceptive overlay message, such as “Scheduled Maintenance,” obscures malicious activity and delays user intervention. Anatsa’s device takeover functionality allows operators to initiate fraudulent transactions directly from infected devices, bypassing anti-fraud systems that trust the device’s legitimacy. This capability has proven effective, with industry researchers confirming real-world fraud across multiple cases.
The North American campaign, active from June 24 to 30, marks Anatsa’s third focus on the US and Canada. The trojan’s target list has expanded to include a broader range of mobile banking applications, underscoring its adaptability. Anatsa’s cyclical activity, alternating between active distribution and dormancy, enhances its ability to evade detection. At least five distinct droppers were identified during the March-to-June period, each leveraging the same playbook: legitimate app deployment followed by malicious updates. Anatsa’s persistence and technical sophistication make it a significant threat to financial institutions. Its ability to exploit the Google Play Store’s trust, combined with advanced evasion tactics, demands heightened vigilance from malware analysts and security teams.
IOCs
PolySwarm has multiple samples of Anatsa.
1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c
16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d
2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb
2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5
d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4
974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544
d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4
1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c
7231546ee377738cbe9075791eb6e76b7bc163c1b91831e05e81b4756fff4028
You can use the following CLI command to search for all Anatsa samples in our portal:
$ polyswarm link list -f Anatsa
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.