Android Document Readers and Deception: Tracking the Latest Updates to Anatsa

Aug. 25, 2025, 11:03 a.m.

Description

Anatsa, an Android banking malware first discovered in 2020, has evolved with new capabilities and targets. The latest variant now affects over 831 financial institutions worldwide, including new countries and cryptocurrency platforms. Anatsa has streamlined its payload delivery, implemented DES runtime decryption, and added device-specific restrictions. The malware uses decoy applications in the Google Play Store, some exceeding 50,000 downloads. Alongside Anatsa, 77 other malicious apps from various families were identified, totaling over 19 million installs. Anatsa's evasion techniques include emulation checks, device model verification, and the use of malformed archives to hide malicious code. The malware primarily steals credentials through fake banking login pages tailored to detected financial apps on the user's device.

External References

https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa
https://otx.alienvault.com/pulse/68a8fd27824526b648f5b4e1
Tags
android
cryptocurrency
credential theft
banking trojan
anatsa
teabot
evasion techniques
coper
joker
google play store
financial institutions
2025-08-22
harly
facestealer

Date

  • Created: Aug. 22, 2025, 11:28 p.m.
  • Published: Aug. 22, 2025, 11:28 p.m.
  • Modified: Aug. 25, 2025, 11:03 a.m.

Attack Patterns

  • Facestealer
  • Harly
  • Bread
  • TeaBot
  • Anatsa
  • Coper
  • Anatsa

Additional Informations

  • Finance
  • Germany