Connect with us

Hi, what are you looking for?


Malware & Threats

Anatsa Android Banking Trojan Continues to Spread via Google Play

Recent Anatsa Android banking trojan attacks have become more targeted, showing an evolution in tactics.

The Android banking trojan named Anatsa has evolved and its attacks are more targeted, online fraud detection firm ThreatFabric reports.

Active for roughly four years, Anatsa can target more than 600 mobile banking applications worldwide, infecting devices via malicious droppers uploaded to Google Play. Three identified droppers had amassed roughly 30,000 installs via the application store in June last year.

The malware can take over infected devices, allowing its operators to perform various actions on behalf of the victim, including fraudulent transactions.

As part of a campaign that started in November 2023, the attackers expanded their targeting to Slovakia, Slovenia, and Czechia, promoting dropper applications that often reach the top 3 new free applications in Google Play.

To date, the cybersecurity firm observed five attack waves, each focused on a different region, as well as evolved tactics that include a multi-staged infection process, the ability to bypass Android 13’s protections, and abuse of Accessibility Services.

While Google’s recent policies strictly restrict the use of Accessibility Services to applications that declare a clear explanation for requiring the permission, Anatsa’s operators managed to circumvent that by publishing a dropper that claimed to need the permissions to “hibernate draining apps”.

One week after the application was published in Google Play, the attackers pushed an update that enabled it to execute malicious actions via Accessibility Services, including clicking buttons. The dropper specifically targeted Samsung devices.

“Based on our findings, we believe there is potential for future adaptations to target other manufacturers. In contrast, other droppers in the campaign did not contain such manufacturer-specific code, posing a threat to all devices regardless of the vendor,” ThreatFabric says.

Advertisement. Scroll to continue reading.

To avoid detection, the malware developers implemented a multi-staged infection process that included the downloading of a DEX file from a remote location and its dynamic loading in memory. ThreatFabric identified three droppers employing dynamically loaded DEX files.

“As of this report, the current campaign involves five droppers with over 100,000 total installations. We anticipate the continuation of this campaign, with new droppers appearing in the official store and an expansion into additional targeted regions. The threat actors have a history of shifting focus between regions within a single campaign,” ThreatFabric notes.

“All of the apps identified in the report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson told SecurityWeek in an emailed comment.

*Updated with a statement from Google.

Related: Xenomorph Android Banking Trojan Targeting Users in US, Canada

Related: New ‘MMRat’ Android Trojan Targeting Users in Southeast Asia

Related: ‘Nexus’ Android Trojan Targets 450 Financial Applications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...