The Zscaler ThreatLabz team has uncovered significant enhancements in the Anatsa Android banking trojan, known for sophisticated attacks on financial applications worldwide. Originally detected in 2020, Anatsa’s latest iterations have expanded to target over 831 financial institutions, including banks and cryptocurrency platforms, by embedding malicious code in popular Google Play Store apps disguised as document readers. These decoy apps, which have been downloaded up to 50,000 times each, serve as droppers to silently install Anatsa, allowing threat actors to bypass official app store detection mechanisms.
In recent campaigns, Anatsa has overhauled its delivery techniques—replacing remote code loading with direct payload installation, introducing device-specific payload restrictions, and runtime DES decryption for enhanced evasion against static and dynamic analysis tools. The malware not only alters its package footprint to avoid detection but also requests broad accessibility permissions, enabling functions like credential theft, keylogging, and fraudulent transactions. Anatsa’s core payload is further concealed within obfuscated and malformed application archives, making it increasingly difficult for security researchers to analyze or detect.
ThreatLabz reports that alongside Anatsa, 77 other malicious Android apps representing various malware families have amassed over 19 million installs recently, highlighting a sharp rise in mobile threats, especially adware and trojans. While Google has removed many of these, the speed and sophistication of campaigns like Anatsa underline the importance for Android users to scrutinize app permissions and rely on trusted security protections.