Full Report
Cybersecurity researchers have discovered an Android banking malware campaign that has leveraged a trojan named Anatsa to target users in North America using malicious apps published on Google's official app marketplace. The malware, disguised as a "PDF Update" to a document viewer app, has been caught serving a deceptive overlay when users attempt to access their banking application, claiming
Analysis Summary
# Tool/Technique: Anatsa (TeaBot, Toddler)
## Overview
Anatsa is an advanced Android banking trojan actively targeting mobile banking users, most recently evidenced by a campaign focusing on North America (US and Canada). It is typically delivered via multi-stage campaigns that initially push benign applications to the Google Play Store, later updating them to deploy the malicious payload. Its primary purpose is to steal user credentials and execute fraudulent financial transactions.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Credential theft via overlays and keylogging, Device-Takeover Fraud (DTO) for automated transactions, dynamic targeting list updates.
- First Seen: Active since at least 2020.
## MITRE ATT&CK Mapping
*Note: Comprehensive mapping requires detailed technical analysis; mappings below are based on described capabilities.*
- **TA0002 - Credential Access**
- T1552 - Unsecured Credentials
- T1552.001 - Credentials in Files (via keylogging/input interception)
- T1056 - Input Capture
- T1056.001 - Keylogging
- **TA0011 - Persistence**
- T1556 - Compromise Software Supply Chain
- T1556.002 - Compromise Software Supply Chain: Compromise Software Supply Chain
- **TA0006 - Credential Access**
- T1111 - Screen Capture (Implied by overlay attacks creating highly realistic login prompts)
## Functionality
### Core Capabilities
- **Delivery via Droppers:** Initial legitimate application uploaded to Google Play Store (e.g., PDF viewers, file cleaners) which later downloads and installs Anatsa.
- **Credential Theft:** Utilizes overlay attacks (displaying fake login screens over legitimate banking applications) and keylogging to capture sensitive information.
- **Fraudulent Transactions:** Capable of Device-Takeover Fraud (DTO), allowing operators to initiate unauthorized transactions autonomously.
- **Dynamic Targeting:** Receives a dynamic list of targeted financial and banking institutions from an external server, facilitating flexible targeting.
### Advanced Features
- **Evasion Cycle:** Employs a cyclical nature, interspersing periods of malicious activity with periods of no activity to evade detection and analysis.
- **Deception Tactic:** Displays fake "scheduled maintenance" notices when a user attempts to access a targeted banking application, specifically designed to conceal malicious activity and prevent users from contacting bank support.
- **Supply Chain Compromise:** Exploitation of the official Google Play Store by maintaining a legitimate initial presence followed by a malicious update several weeks later.
## Indicators of Compromise
- File Hashes: [Not specified in the text]
- File Names: [Not specified in the text]
- Registry Keys: [N/A for Android environment, configuration files instead]
- Network Indicators: Receives configuration/command lists from an external server (C2). [Specific C2 domains/IPs were not defanged or listed in the text]
- Behavioral Indicators: Application requests heightened permissions after initial installation; attempts to draw views over other applications (overlay tactics); logs user input sequences related to banking apps.
## Associated Threat Actors
- Attributed to Anatsa operators, previously known as TeaBot/Toddler actors. Involved in campaigns targeting Slovakia, Slovenia, and Czechia prior to the North American focus.
## Detection Methods
- Signature-based detection: Identification of known Anatsa package names or associated hash signatures (post-discovery).
- Behavioral detection: Monitoring for applications that request overlay permissions and interact aggressively with foreground banking applications immediately after a delayed update. Detection of keylogging processes.
- YARA rules: [Not specified in the text]
- Google Play Protect: Noted by Google as removing identified malicious apps and protecting users.
## Mitigation Strategies
- Prevention measures: Users should be highly skeptical of delayed updates from apps downloaded from the Play Store, especially productivity tools that suddenly begin requesting extensive accessibility or overlay permissions.
- Hardening recommendations: Organizations (especially financial institutions) should monitor customer reports closely, particularly concerning maintenance notifications that coincide with login attempts. Enable Google Play Protect features for automatic blocking of known malicious apps.
## Related Tools/Techniques
- Other Android Banking Trojans: Related to malware that heavily relies on overlay attacks and supply chain compromise via the Play Store.
- TeaBot, Toddler (Synonyms for Anatsa).