{
	"id": "9a2e6eb4-5ba5-48fe-bade-26b89e114246",
	"created_at": "2026-04-06T00:21:00.898841Z",
	"updated_at": "2026-04-10T13:12:44.076267Z",
	"deleted_at": null,
	"sha1_hash": "29dbd59b629ff9472039fac32ec8ef17682c3c2e",
	"title": "Anatsa’s Latest Updates | ThreatLabz",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1058068,
	"plain_text": "Anatsa’s Latest Updates | ThreatLabz\r\nBy Himanshu Sharma\r\nPublished: 2025-08-21 · Archived: 2026-04-05 19:00:48 UTC\r\nTechnical Analysis \r\nUnlike in previous campaigns, the latest Anatsa campaigns implement various anti-analysis techniques. The parent\r\ninstaller now decrypts each string at runtime using a dynamically generated Data Encryption Standard (DES) key,\r\nmaking it more resistant to static analysis tools. Furthermore, Anatsa has enhanced its evasion strategies by\r\nperforming emulation checks and verifying device models to bypass dynamic analysis environments. \r\nAfter confirming that the C2 server is active and the device meets the necessary criteria, the installer proceeds to\r\ndownload Anatsa as an update. If these conditions are not met, the application displays a file manager view to the\r\nuser, maintaining the appearance of a legitimate application, as shown in the figure below.\r\nhttps://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa\r\nPage 1 of 3\n\nFigure 2: Example behavior of the Anatsa installer depending on the result of anti-analysis checks.\r\nTo evade detection across infected systems, the application package name and installation hash are periodically\r\naltered.\r\nThe core payload has been updated to incorporate a new keylogger variant of Anatsa. Additionally, the malware\r\nutilizes a well-known Android APK ZIP obfuscator for enhanced evasion. The DEX payload is concealed within a\r\nJSON file, which is dynamically dropped at runtime and promptly deleted after being loaded.\r\nThe APK uses a corrupted archive to hide a DEX file, which is deployed during runtime. This archive has invalid\r\ncompression and encryption flags, making it hard for static analysis tools to detect. Since these tools depend on\r\nstandard ZIP header checks in Java libraries, they fail to process the application. Despite this, the application will\r\nrun on standard Android devices.\r\nThe figure below shows a malformed archive used by Anatsa to evade analysis.\r\nFigure 3: Example headers of a malformed archive used by Anatsa to evade analysis.\r\nOnce installed, Anatsa requests accessibility permissions from the user. If granted, the malware automatically\r\nenables all the permissions specified in its manifest file, which include the following:\r\nSYSTEM_ALERT_WINDOW\r\nREAD_SMS\r\nRECEIVE_SMS\r\nUSE_FULL_SCREEN_INTENT\r\nAnatsa connects to the server to request specific commands and encrypts C2 communication using a single byte\r\nXOR key (66 in decimal). The following JSON structure contains an example of Anatsa’s configuration data.\r\nhttps://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa\r\nPage 2 of 3\n\n{\r\n \"hide_sms\": null,\r\n \"gauth_confirm\": null,\r\n \"lock_device\": null,\r\n \"extensive_logging\": null,\r\n \"injects_version\": 254,\r\n \"keyloggers_version\": 403,\r\n \"commands\": null,\r\n \"installed_apps_count\": 37,\r\n \"domains\": [\r\n \"http://185.215.113.108:85/api/\",\r\n \"http://193.24.123.18:85/api/\",\r\n \"http://162.252.173.37:85/api/\"\r\n ],\r\n \"active_injects\": null\r\n}\r\nAnatsa primarily exfiltrates credentials by displaying fake banking login pages, which are downloaded from its C2\r\nserver. These pages are tailored based on the financial institution applications detected on the user's device.\r\nThe list of financial institutions and corresponding injection pages targeted by Anatsa appears to be a work in\r\nprogress and continues to evolve. Out of the 831 applications targeted for keylogging, many of these injection\r\npages were incomplete or unavailable. For example, the injection content at the time of analysis for the Robinhood\r\napplication is shown below: \r\n{\r\n \"application\": \"com.robinhood.android\",\r\n \"html\": \"Scheduled maintenance We're working on enhancements and will have things back up and running soon. Th\r\n \"inj_type\": \"bank\"\r\n}\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa\r\nhttps://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/android-document-readers-and-deception-tracking-latest-updates-anatsa"
	],
	"report_names": [
		"android-document-readers-and-deception-tracking-latest-updates-anatsa"
	],
	"threat_actors": [],
	"ts_created_at": 1775434860,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29dbd59b629ff9472039fac32ec8ef17682c3c2e.pdf",
		"text": "https://archive.orkl.eu/29dbd59b629ff9472039fac32ec8ef17682c3c2e.txt",
		"img": "https://archive.orkl.eu/29dbd59b629ff9472039fac32ec8ef17682c3c2e.jpg"
	}
}