Full Report
The Anatsa banking trojan has sneaked into Google Play once more via an app posing as a PDF viewer that counted more than 50,000 downloads. [...]
Analysis Summary
# Tool/Technique: Anatsa
## Overview
Anatsa is an Android banking trojan that periodically infiltrates the Google Play Store disguised within seemingly legitimate applications. Its primary purpose is to steal credentials from targeted US banking applications via overlay attacks.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Overlay attacks to intercept banking credentials, communication with a Command-and-Control (C2) server, fetches and installs a secondary malicious payload.
- First Seen: Not specified in the context, but the current variant was active in late June (2025, implied by related article dates).
## MITRE ATT&CK Mapping
*Note: Since this is a mobile threat, the most relevant mappings would come from the Mobile matrix. Based on the description (overlay attacks, C2 communication), the following mappings are inferred.*
- **TA0001 - Initial Access (Mobile)**
- T14AC01 - Drive-by Compromise (via trojanized app installation from Google Play)
- **TA0011 - Command and Control (Mobile)**
- T1488.001 - Application Layer Protocol (C2 communication)
- **TA0002 - Execution**
- T1434.001 - Installation of Compromising Application
## Functionality
### Core Capabilities
- **Infiltration via Google Play:** Malicious code is introduced via an update to a previously legitimate app after it gains traction.
- **Staged Infection:** The initial app fetches and installs the main Anatsa payload as a separate, malicious application.
- **Target Monitoring:** Upon installation, Anatsa communicates with its C2 server to receive a list of banking applications to monitor on the device.
- **Credential Theft:** It performs overlay attacks targeting the user interface of these specific banking apps to capture sensitive information.
### Advanced Features
- Hides its presence by being introduced via an update to an already popular, seemingly benign application, bypassing initial scrutiny.
## Indicators of Compromise
- **File Hashes:** N/A (Not provided in the context)
- **File Names:** N/A (The article focuses on the delivery mechanism within Google Play apps)
- **Registry Keys:** N/A (Android environment)
- **Network Indicators:** Connects to a remote Command-and-Control (C2) server to receive target lists and perform other malicious actions (C2 address defanged: **[C2_domain_or_IP]**).
- **Behavioral Indicators:** Installation of a secondary, distinct application post-initial download; attempting to draw content over legitimate banking applications (overlay).
## Associated Threat Actors
- Not explicitly named in the provided text snippet, but associated with financially motivated Android malware campaigns.
## Detection Methods
- **Signature-based detection:** Requires signatures for the known Anatsa payloads.
- **Behavioral detection:** Monitoring for processes overlaying legitimate banking applications or unauthorized secondary application installations.
- **YARA rules:** N/A (Not provided in the context)
- **Google Play Protect:** Automatically warns users or blocks apps known to exhibit malicious behavior on devices with Google Play Services.
## Mitigation Strategies
- **Prevention:** Only install apps from reputable publishers.
- **Verification:** Carefully check user reviews and requested permissions before installing or updating apps.
- **Hygiene:** Keep the number of installed applications to a necessary minimum.
- **Post-Infection Response:** Uninstall the potentially affected app immediately, run a full system scan using Google Play Protect, and reset banking account credentials.
## Related Tools/Techniques
- Other Android banking trojans utilizing overlay techniques (e.g., Fakel, ATM2, etc.).
- Techniques involving the updating of seemingly clean F-Droid or Google Play apps to introduce malware after initial trust is established.