Malware – Anatsa Banking Trojan for Android

Tuesday, June 27th, 2023


Cyber security risk management solutions from DefenseStorm.

Since March of 2023 a new mobile malware has been pushing the Android banking trojan “Anatsa” to online banking customers located in the United States, United Kingdom, Austria, Switzerland and Germany. It has since become one of the most prolific banking malware, targeting over 400 financial institutions across the world.

The attackers have been distributing this malware through Android’s Google PlayStore and there have already been over 30,000 installations. The malware is pushed by impersonating PDF Scanners, Adobe Illustrator apps, fitness apps and QR Code Scanners. The attackers took a six-month hiatus before launching a new malvertizing campaign. The malware is still being distributed via apps from Android’s Google PlayStore category office/productivity (PDF Viewer, office suites and editor apps). Below is an app that was previously found on the PlayStore before it was taken down due to being identified as malware:  

Malicious App - PDF Viewer

Once the above app was taken down, the attackers continued their campaign by uploading a new dropper under a different impersonation app.

Behavioral Summary 

The attackers submitted their impersonator apps in a clean form and then later updated those apps with the malicious code. Once the app was installed on the victim’s device, the dropper apps then request an external resource via GitHub where they then download the Anatsa payloads. These payloads are masqueraded as a text recognizer add-ons for Adobe Illustrator. Once that payload is dropped, Anatsais able to obtain financial information from the victim via overlaying phishing pages when the user attempts to open their legitimate banking app. The payload also collects information via a keylogger.

Anatsa uses the stolen information to conduct on-device fraud. It will perform transactions on the victim’s behalf and begin a money-stealing process for the operators. The stolen money is then turned into cryptocurrency and passed through a rigorous network of money mules until it reaches the attacker.

The trojan features backdoor-like capabilities to steal data and also performs overlay attacks in order to steal credentials as well as log activities by abusing its permissions to Android’s accessibility services API. It can further bypass existing fraud control mechanisms to carry out unauthorized fund transfers.

“Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it is very challenging for banking anti-fraud systems to detect it,” ThreatFabric noted.

Protecting yourself and your Android device

It’s important to be vigilant when installing apps on your device from the PlayStore. Be on the lookout for apps that are from dubious publishers, and always check the reviews for any indication of malicious behavior from the app.

Below is the list of the known Anatsa droppers:

Anatsa Droppers

DefenseStorm Recommendations

DefenseStorm recommends informing your customer base about the importance of being vigilant when it comes to installing applications from any App store.

Continuous research is being conducted for all newly discovered or recurring malware and ransomware. As always, DefenseStorm recommends the following practices to help secure your environment:

  • Continued internal training for phishing campaigns
  • Block threat indicators at their respective controls
  • Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
  • Maintain a strong password policy
  • Enable multi-factor authentication
  • Regularly back up data, air gap, and password backup copies offline
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
  • Use app hardening
  • Restrict administrative access

Additional Sources:

  1. hxxps://
  2. hxxps://
  3. hxxps://

Ian Gibson

Cyber Threat Intelligence Engineer

Ian Gibson is a Cyber Threat Intelligence Engineer for DefenseStorm. He joined the company in 2019 after graduating with a bachelor’s in Information Technology from the University of North Carolina: Wilmington. During his time at UNCW, he completed a specialized curriculum path in Cyber Defense Education. Joining DefenseStorm first as an intern, Ian worked in many positions throughout the company, which allowed him to become an expert in several areas of the platform. During his cyber career, Ian has been instrumental in proactively detecting and responding to cyber incidents, developing new policies and analytics to improve the detection and prevention of potential attacks, and training customers to better utilize DefenseStorm’s services. Ian has completed all tracks of the MITRE ATT&CK® Defender certifications, which helped him gain a better understanding of how to apply the knowledge of adversary behaviors to improve security configurations, analytics, and decision-making when it comes to best protecting DefenseStorm clients. Ian also holds a GIAC Cyber Threat Intelligence (GCTI) certification.