The malware, first discovered in 2020, continues to pose a substantial threat to Android users through deceptive applications distributed via the Google Play Store.
The latest Anatsa variant has significantly broadened its scope beyond the previously targeted 650 financial institutions, now encompassing more than 831 banks and cryptocurrency platforms across new regions, including Germany and South Korea.
This expansion includes over 150 newly targeted banking and cryptocurrency applications, demonstrating the malware’s evolving threat landscape.
Anatsa operates through a dropper technique, utilizing decoy applications that appear legitimate upon installation from the Google Play Store.
These applications masquerade as document readers or file managers while secretly downloading malicious payloads disguised as updates from command-and-control servers. Several of these decoy applications have individually exceeded 50,000 downloads, amplifying the potential impact.
The current Anatsa iteration incorporates sophisticated evasion mechanisms that distinguish it from previous campaigns.
The malware now implements Data Encryption Standard (DES) runtime decryption, dynamically generating encryption keys to decrypt strings during execution, making static analysis significantly more challenging.
Additionally, Anatsa performs emulation checks and device model verification to bypass dynamic analysis environments commonly used by security researchers.
The malware conceals its DEX payload within JSON files that are dynamically dropped at runtime and immediately deleted after loading.
It also employs corrupted ZIP archives with invalid compression and encryption flags, exploiting limitations in standard analysis tools while maintaining functionality on Android devices.
ThreatLabz researchers identified 77 malicious applications across various malware families in the Google Play Store, collectively accounting for over 19 million installations.
Once installed, Anatsa requests accessibility permissions and automatically enables critical permissions, including SYSTEM_ALERT_WINDOW, READ_SMS, RECEIVE_SMS, and USE_FULL_SCREEN_INTENT.
The malware encrypts command-and-control communications using single-byte XOR encryption and primarily harvests credentials through fake banking login pages downloaded from its servers. These fraudulent interfaces are customized based on the financial applications detected on infected devices.
Android users should exercise caution when installing applications from the Play Store, carefully reviewing requested permissions to ensure they align with the application’s stated functionality.
Zscaler’s cloud security platform provides multilayered protection against Android variants under threat designations.Banker.Anatsa and AndroidOS/Agent.BOI
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Android Users at Risk – Anatsa Malware Harvests Credentials and Tracks Keystrokes appeared first on Cyber Security News.
The post Pinterest Makes Major Push Into CTV Advertising appeared first on TV News Check.
German lens manufacturer Leitz Cine GmbH is expanding the compatibility of its Hektor line of…
A pure CSS tooltip library that creates Material-style bubble tooltips with ::before, ::after, and HTML…
The China-linked threat group known as Silver Fox has significantly expanded its cyber operations, shifting…
Phishing-as-a-service (PhaaS) has rapidly transformed the global cybercriminal landscape over the last few years. By…
A critical pre-authentication SQL injection vulnerability, tracked as CVE-2026-42208, has been discovered in the widely…
This website uses cookies.