The Anatsa trojan, a potent banking malware, poses a significant threat to mobile banking security. Its ability to steal sensitive information and perform unauthorised transactions makes it particularly harmful. Active since 2020, Anatsa targets Android devices, exploiting vulnerabilities in the Google Play Store.
The Threat
Anatsa disguises itself as legitimate apps like PDF readers and phone cleaners. Once installed, it requests extensive permissions and updates itself with malicious code, exploiting Android’s Accessibility Service to intercept user interactions and steal credentials.
Technical Details
Anatsa uses a botnet architecture with a Command and Control (C2) server. The malware operates in multiple stages:
- Initial Installation: The benign app is downloaded from the Play Store.
- Malicious Update: The app updates with a payload from a C2 server, enabling its harmful functions.
- Data Exfiltration: It intercepts user data and sends it to the C2 server.
Code Snippet:
The following code snippet demonstrates how the Anatsa trojan uses filters based on the device manufacturer, Android version, and location. This targeted approach increases the trojan’s effectiveness:
if (!Build.MANUFACTURER.equalsIgnoreCase("samsung") || Build.VERSION.SDK_INT != 33) {
Intent intent0 = new Intent(context0, class0);
intent0.addFlags(0x10000000);
context0.startActivity(intent0);
return;
}
TelephonyManager telephonyManager0 = (TelephonyManager) context0.getSystemService("phone");
String s = telephonyManager0.getNetworkCountryIso().isEmpty() ? "uat" : telephonyManager0.getNetworkCountryIso();
if (!s.startswith("de") && !s.startswith("nl") && !s.startswith("es") && !s.startswith("gb") && !s.startswith("hk") && !s.startswith("cz") && !s.startswith("sk")) {
Intent intent1 = new Intent(context0, class0);
intent1.addFlags(0x10000000);
context0.startActivity(intent1);
return;
}
Evasion and Detection
Anatsa evades detection by initially behaving like a legitimate app. It bypasses Android’s security measures using Accessibility Service, enabling it to perform actions without user consent. Cybersecurity researchers obtained this information through in-depth analysis.
Impact on European Banks
Anatsa targets over 600 financial applications, making it difficult for anti-fraud systems to detect unauthorised transactions. Its sophisticated techniques have significantly impacted banks in Europe.
Google Play Store Vulnerabilities
Despite Google’s efforts to secure the Play Store, malicious apps still make their way in. Anatsa apps are uploaded in a clean state and later updated with malicious code, exploiting gaps in Google’s app review process.
Affected Devices
Currently, Anatsa primarily targets Android devices. There is no evidence to suggest that iOS devices are affected.
Geographic Spread and Mitigation
Recent attacks have focused on countries like Czechia, Slovakia, and Slovenia. Efforts to mitigate the threat include removing identified malicious apps from the Play Store and enhancing security measures.
