Android Users at Risk – Anatsa Malware Harvests Credentials and Tracks Keystrokes

Cybersecurity researchers at Zscaler ThreatLabz have uncovered significant developments in the Anatsa banking malware, revealing that the Android trojan has expanded its targeting scope to over 831 financial institutions worldwide while implementing sophisticated anti-analysis techniques to evade detection.

The malware, first discovered in 2020, continues to pose a substantial threat to Android users through deceptive applications distributed via the Google Play Store.

class="wp-block-heading" id="expanded-global-targeting-and-enhanced-capabilitie">Expanded Global Targeting and Enhanced Capabilities

The latest Anatsa variant has significantly broadened its scope beyond the previously targeted 650 financial institutions, now encompassing more than 831 banks and cryptocurrency platforms across new regions, including Germany and South Korea.

This expansion includes over 150 newly targeted banking and cryptocurrency applications, demonstrating the malware’s evolving threat landscape.

Anatsa operates through a dropper technique, utilizing decoy applications that appear legitimate upon installation from the Google Play Store.

These applications masquerade as document readers or file managers while secretly downloading malicious payloads disguised as updates from command-and-control servers. Several of these decoy applications have individually exceeded 50,000 downloads, amplifying the potential impact.

Advanced Anti-Analysis Techniques

The current Anatsa iteration incorporates sophisticated evasion mechanisms that distinguish it from previous campaigns.

The malware now implements Data Encryption Standard (DES) runtime decryption, dynamically generating encryption keys to decrypt strings during execution, making static analysis significantly more challenging.

Additionally, Anatsa performs emulation checks and device model verification to bypass dynamic analysis environments commonly used by security researchers.

The malware conceals its DEX payload within JSON files that are dynamically dropped at runtime and immediately deleted after loading.

It also employs corrupted ZIP archives with invalid compression and encryption flags, exploiting limitations in standard analysis tools while maintaining functionality on Android devices.

Distribution Impact and Security Implications

ThreatLabz researchers identified 77 malicious applications across various malware families in the Google Play Store, collectively accounting for over 19 million installations.

Once installed, Anatsa requests accessibility permissions and automatically enables critical permissions, including SYSTEM_ALERT_WINDOW, READ_SMS, RECEIVE_SMS, and USE_FULL_SCREEN_INTENT.

The malware encrypts command-and-control communications using single-byte XOR encryption and primarily harvests credentials through fake banking login pages downloaded from its servers. These fraudulent interfaces are customized based on the financial applications detected on infected devices.

Android users should exercise caution when installing applications from the Play Store, carefully reviewing requested permissions to ensure they align with the application’s stated functionality.

Zscaler’s cloud security platform provides multilayered protection against Android variants under threat designations.Banker.Anatsa and AndroidOS/Agent.BOI

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Android Users at Risk – Anatsa Malware Harvests Credentials and Tracks Keystrokes appeared first on Cyber Security News.