{
	"id": "43a50843-c3c6-4d2d-9807-83dc73eaffb2",
	"created_at": "2026-04-06T00:09:27.818906Z",
	"updated_at": "2026-04-10T13:11:19.472674Z",
	"deleted_at": null,
	"sha1_hash": "698397e49ae4721e2ddae85e24f0237e706cce5d",
	"title": "Anatsa banking Trojan hits UK, US and DACH with new campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1525447,
	"plain_text": "Anatsa banking Trojan hits UK, US and DACH with new campaign\r\nPublished: 2024-10-01 · Archived: 2026-04-02 10:50:05 UTC\r\nNew ongoing campaign hitting banks for months\r\nAs of March 2023, ThreatFabric’s cyber fraud analysts have been monitoring multiple ongoing Google Play Store dropper\r\ncampaigns delivering the Android banking Trojan Anatsa, with over 30.000 installations. The threat actors behind this new\r\nwave of Anatsa showed interest in new institutions from the US, UK, and DACH region. Our fraud intelligence platform\r\nwas able to confirm this dangerous malware family adding multiple Android banking apps from these regions as new targets.\r\nThreatFabric is aware of multiple confirmed fraud cases, with confirmed losses caused by Anatsa, due to the Trojan’s very\r\nadvanced Device-Takeover capabilities, which are able to bypass a wide array of existing fraud control mechanisms.\r\nThe focus of the ongoing campaign is banks from US, UK, and DACH, while the target list of the malware contains almost\r\n600 financial applications from all over the world. The actors behind Anatsa aim to steal credentials used to authorise\r\ncustomers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions.\r\nhttps://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign\r\nPage 1 of 6\n\nNew targets, new focus\r\nThreatFabric has been monitoring Anatsa’s activity since its discovery in 2020. We have seen multiple changes in the actor’s\r\nareas of interest over the years, with continuous updates in target lists. This campaign is no exception: we see a strong shift\r\ntowards targeting banking institutions in the DACH region, specifically in Germany. This focus is mirrored by the regions\r\nwhere the droppers used for distribution are released.\r\nIn the latest iteration of the campaign, with the introduction of the new dropper, our Fraud Intelligence portal identified 3\r\nnew German banking applications that were added to Anatsa’s overlay target list, which once again proves the current focus\r\nof the actors.\r\nHowever, Anatsa remains active in the US and UK, just like in previous campaigns. Analysing the list of targeted\r\napplications, we see more than 90 new targeted applications compared to the last of last year, in August 2022. Anatsa’s\r\nactors added targets from Germany, Spain, Finland, South Korea, Singapore. While the droppers are not distributed in all of\r\nthese countries, it definitely reveals plans to target those regions. It is likely part of the initial reconnaissance that will give\r\nthe actors more insights into the internal structure of banking applications and the way apps need to interact in order to\r\nperform transfers; in addition, it can be possible that actors are trying to also target significant minorities that live in\r\ncountries targeted by these droppers.\r\nIf you are interested in the full list of Anatsa’s targeted banking applications and a personal briefing, please, contact us.\r\nThe campaign we report in this blog is not a usual one - it serves as an example of efforts actors make to deliver the malware\r\nto victims, at the same time increasing infection conversion and maintaining long-lasting campaigns. In the following\r\nsections, we explain our observations on the latest (still ongoing at the moment of writing this blog) Anatsa campaign.\r\n5 droppers on Google Play in 4 months\r\nIt all started at the beginning of March 2023, when ThreatFabric detected the start of a new campaign by Anatsa after an\r\napproximate half-year hiatus. Our analysts were able to identify a dropper application on the Google Play Store used to\r\ndeliver Anatsa on infected devices, posing as a PDF-reader application. \r\nOnce installed, such an application would make a request to a page hosted on GitHub, where the dropper would get the URL\r\nto download the payload (also hosted on GitHub). The payloads would masquerade as an add-on to the original application\r\n(similar to what we have seen in previous campaigns).\r\nhttps://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign\r\nPage 2 of 6\n\nShortly after this dropper was reported to Google, it was removed from the store. However, one month after the discovery of\r\nthe first dropper, the actors published another one, once again posing as PDF-viewer. It was the continuation of the same\r\ncampaign, as the payloads used in it were the same, still masquerading as an add-on. The choice of disguise for these\r\nmalicious applications observed confirms the trend we see for droppers on Google Play: after the restriction of\r\n“REQUEST_INSTALL_PACKAGES” permission, droppers tend to impersonate file-management-related applications.\r\nThese types of apps are more likely to already havethis permission, as they need it for their functionality: the addition of the\r\ncode responsible for installing a payload does not result in an increase of permissions to the original trojanized application.\r\nThis second dropper was reported to Google by our team and it was removed from the store. Nevertheless, the same\r\nrepeated twice: another dropper appeared within a month after the previous one was removed. Our team discovered 3 more\r\ndroppers in May and June, 2023.\r\nThe timeline of the dropper's releases and removals is shown in the picture below.\r\nhttps://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign\r\nPage 3 of 6\n\nWe want to highlight the speed with which the actors return with a new dropper after the previous one is removed: it takes\r\nanywhere from a couple of days to a couple of weeks to publish a new dropper application on the store. Moreover, at the\r\ntime of writing this blog, a new Anatsa dropper was discovered by our analysts and it is still online.\r\nIt is also important to highlight that every dropper was updated sometime after the publication date, very likely adding\r\nmalicious functionality at that point in time (we marked that moment with the “Update” tag on the timeline above). Our\r\nanalysis also reveals that the actors can have several apps published in the store at the same time under different developer\r\naccounts, however, only one is acting as malicious, while the other is a backup to be used after takedown.\r\nSuch a tactic helps actors to maintain very long campaigns, minimising the time needed to publish another dropper and\r\ncontinue the distribution campaign.\r\nAnatsa fraud kill chain\r\nThe analysis of Anatsa’s activity and its capabilities allows us to draw a fraud “kill chain” for Anatsa, highlighting the way\r\nin which actors may act in order to perform fraud.\r\nIt all starts with the distribution phase where the payload is delivered through malicious apps on Google Play Store. Victims\r\nare routed there through advertisements, which look less suspicious to them as they lead to the official store.\r\nOnce the device is infected, Anatsa is able to collect sensitive information (credentials, credit card details, balance and\r\npayment information) via overlay attacks and keylogging. This information will be later used by the criminals to perform\r\nfraud. Anatsa provides them with the capability to perform Device-Takeover Fraud (DTO), which then leads to performing\r\nactions (transactions) on the victim’s behalf. Since transactions are initiated from the same device that targeted bank\r\ncustomers regularly use, it has been reported that is very challenging for banking anti-fraud systems to detect it.\r\nhttps://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign\r\nPage 4 of 6\n\nConclusions\r\nThe latest campaign by Anatsa reveals the evolving threat landscape that banks and financial institutions face in today’s\r\ndigital world. The recent Google Play Store distribution campaigns targeting US, DACH, and UK regions demonstrate the\r\nimmense potential for mobile fraud and the need for proactive measures to counter such threats.\r\nIn this rapidly evolving landscape of cyber fraud, the battle against mobile banking Trojans like Anatsa requires client-side\r\nvisibility and adaptability before the customer journey (powered by fraud intelligence) and directly during it with the help of\r\nSDK built-in banking applications.\r\nFraud Risk Suite\r\nThreatFabric’s Fraud Risk Suite enables safe and frictionless online customer journeys by integrating industry-leading\r\nmobile threat intel, behavioural analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This\r\nwill give you and your customers peace of mind in an age of ever-changing fraud.\r\nAppendix\r\nAnatsa droppers\r\nApp name Package name SHA-256\r\nPDF\r\nReader -\r\nEdit \u0026\r\nView\r\nPDF\r\nlsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools ecce34c0ba83120ccf1f8e1640cd867fbfeb490dbc8a41d1cf8c577d\r\nPDF\r\nReader \u0026\r\nEditor\r\ncom.proderstarler.pdfsignature 128820e1c5d62523f675042da9d1e11af3191217afe308bcc17e51a\r\nhttps://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign\r\nPage 5 of 6\n\nPDF\r\nReader \u0026\r\nEditor\r\nmoh.filemanagerrespdf 7231546ee377738cbe9075791eb6e76b7bc163c1b91831e05e81b4\r\nAll\r\nDocument\r\nReader \u0026\r\nEditor\r\ncom.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs 3740e6b4d259efe6a72f503429fb67db96363935a29f7428ccab5b7\r\nAll\r\nDocument\r\nReader\r\nand\r\nViewer\r\ncom.muchlensoka.pdfcreator db7df65f2699817fa3ebfb3ebef106a3801a96b9da1ba6d88e727a2\r\nSource: https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign\r\nhttps://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign"
	],
	"report_names": [
		"anatsa-hits-uk-and-dach-with-new-campaign"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434167,
	"ts_updated_at": 1775826679,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/698397e49ae4721e2ddae85e24f0237e706cce5d.pdf",
		"text": "https://archive.orkl.eu/698397e49ae4721e2ddae85e24f0237e706cce5d.txt",
		"img": "https://archive.orkl.eu/698397e49ae4721e2ddae85e24f0237e706cce5d.jpg"
	}
}