Synthetic News

ANATSA – THE UNRELENTING THREAT: THE PERFECT ATTACK STEALING BANK ACCOUNTS ON THE ANDROID PLATFORM

Posted by author-avatar

The banking Trojan Anatsa, also known as Tea Bot, is resurfacing and spreading aggressively worldwide, directly targeting Android device users. With the ability to mimic the interface of over 800 banking and financial applications, Anatsa uses a sophisticated “dropper” technique to bypass Google Play’s security barriers, stealing victims’ login credentials, passwords, and OTP codes. This article analyzes the mechanism of operation, the level of danger, and provides essential security recommendations from experts.

I. THE DANGER LEVEL AND RESURGENCE OF ANATSA

The Anatsa malware, first spotted in 2020, is one of the most dangerous and persistent Banking Trojans targeting the Android operating system. Its primary goal is to steal banking and cryptocurrency account credentials, allowing attackers to automatically perform fraudulent transactions on the victim’s device.

According to a recent report from cybersecurity experts at Zscaler ThreatLabz, Anatsa has returned and is expanding its attack scale at an alarming rate. Mr. Himanshu Sharma, a security analyst at Zscaler, commented: “The latest version of Anatsa has increased the number of impersonated banking and financial apps from about 600 to over 800 worldwide, including more than 150 new banking apps and crypto platforms. This number indicates a significant investment by cybercrime groups in expanding their targets and geographical reach.”

In a large-scale campaign, researchers have detected dozens of malicious, fake apps carrying the Anatsa malware on the Google Play Store, totaling over 19 million downloads, which shows a severe infection rate.

II. ANATSA MALWARE’S SOPHISTICATED ATTACK MECHANISM

Anatsa’s attack method is considered extremely sophisticated due to its two-stage attack strategy, also known as the “dropper” technique:

1. Stage 1: Bypassing Google Play Review

Attackers use “bait” applications disguised as popular and useful utilities, such as:

  • PDF Readers (PDF Reader, Document Reader)
  • QR Code Scanner apps
  • Phone cleaning apps (Phone Cleaner, File Explorer)

Initially, these apps are completely clean and have legitimate functions to pass Google Play’s automated review layers.

2. Stage 2: Privilege Escalation and Information Theft

After the user installs the “clean” application, it secretly performs the dangerous behavior:

  • Malware Download: The app will prompt a request to download a fake “update” or “expansion pack.” In reality, this is the installation package containing the Anatsa banking Trojan.
  • Accessibility Privilege Hijacking: This is the crucial step. Anatsa tricks users into granting Accessibility and SMS permissions—sensitive permissions that allow it to monitor all screen activities, read notifications, read OTP messages, and even perform actions on the device on behalf of the user. Mr. Francesco Iubatti, a cybersecurity researcher at Cleafy, emphasized: “The Accessibility permission is the ‘golden key’ for Banking Trojans on Android. With this privilege, the malware can perform keylogging, screen capturing, and especially inject a fake overlay on top of banking applications.”
  • Information Theft: When the user opens their banking app, Anatsa activates the fake overlay, creating a login or maintenance screen that looks exactly like the official banking application. The victim enters their username, password, and OTP code unknowingly; all this information is immediately sent to the attacker’s Command-and-Control (C2) server.

III. IDENTIFICATION SIGNS AND SEVERE CONSEQUENCES

ABBank and cybersecurity experts recommend that customers be vigilant about the following unusual signs:

  • Unusual Permission Requests: Utility apps (PDF, flashlight, etc.) demanding sensitive permissions like Accessibility or SMS.
  • Strange Activity: The banking application automatically opens, asks to log in again, or displays pop-up notifications from an unknown source.
  • Device Issues: Device operates slowly, battery drains quickly, or mobile data usage spikes dramatically.
  • OTP Errors: Receiving an unusual OTP code, or the OTP code is delayed/does not arrive, because the malware has intercepted or read it beforehand.

Consequences: When infected with Anatsa, victims face the risk of losing all funds in their bank accounts and e-wallets, while personal data on the device can also be stolen.

IV. RECOMMENDATIONS AND PREVENTION MEASURES FROM EXPERTS

Mr. David Nhat, an independent mobile application security expert, advised: “The best defense is user vigilance. View applications requesting Accessibility permission as an extremely large ‘red flag,’ especially if it is not a utility for users with disabilities.”

1. Emergency Actions (If infection is suspected):

  • Uninstall Suspicious Apps: Go to Settings > Apps and delete them immediately.
  • Disable Sensitive Permissions: Go to Settings > Accessibility and turn OFF permissions for ALL unknown applications.
  • Disable Device Administrator Rights: If the app cannot be uninstalled, locate and turn off its device administrator rights (Settings > Security > Device Admin Apps) before deleting.
  • Change Passwords: Immediately change passwords for all banking accounts, e-wallets, and other important accounts.
  • Contact Bank: Immediately notify the bank to freeze the account and promptly address any suspicious transactions.

2. Basic Prevention Measures:

  • Download Selectively: Only download apps from reputable developers with millions of positive reviews and carefully check negative comments.
  • Refuse Unnecessary Permissions: ABSOLUTELY DO NOT GRANT ACCESSIBILITY PERMISSION to common utility apps (PDF, cleaner, games…).
    • Refuse access to SMS, contacts, or location if the application does not require it.
  • Use Built-in Security: Always keep Google Play Protect enabled on your Android device.
  • Strengthen Account Security: Activate Two-Factor Authentication (2FA) or biometric authentication (fingerprint, face) for all important accounts, especially banking and email.
  • Regular Updates: Regularly update the operating system and reputable anti-virus software to patch security vulnerabilities.

V. CONCLUSION

Anatsa is a stark reminder of the continuous evolution of mobile threats. The battle between attackers and users on the Google Play Store is ongoing. By understanding Anatsa’s sophisticated attack mechanism and adopting the strict prevention measures recommended by financial institutions and cybersecurity experts, users can protect themselves and their financial assets against this invisible threat. Personal vigilance remains the final and strongest line of defense.

author-avatar

About Admin IdoTsc

Admin IdoTsc of the website of IDO Technology Solutions Co., Ltd. Research on website design, online marketing. Always listening, thinking to understanding.