{
	"id": "239867e7-a4fc-4d58-bcb8-0523c4a03c16",
	"created_at": "2026-04-06T00:14:37.389505Z",
	"updated_at": "2026-04-10T13:12:25.664683Z",
	"deleted_at": null,
	"sha1_hash": "baae3d54109ed522bda22ba4fe88c7321a183de4",
	"title": "Anatsa Trojan Returns: Targeting Europe and Expanding Its Reach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 389669,
	"plain_text": "Anatsa Trojan Returns: Targeting Europe and Expanding Its\r\nReach\r\nPublished: 2024-10-01 · Archived: 2026-04-05 20:42:22 UTC\r\nIntroduction\r\nIn the dynamic world of mobile banking, the security landscape is constantly shifting, posing new challenges for\r\nbanks and financial institutions. It is therefore imperative to stay ahead of emerging threats. Our latest findings on\r\nthe Anatsa banking Trojan campaign highlight the evolving nature of these threats and the need for robust mobile\r\nthreat intelligence.\r\nCampaign overview\r\nIn November 2023, our Mobile Threat Intelligence (MTI) team detected a resurgence of the Anatsa banking\r\nTrojan campaign, marking a significant shift since our last update in June 2023. Over the past four months, we\r\nhave observed five distinct waves of this campaign, each focusing on different regions. While Anatsa has\r\npreviously targeted the UK, Germany, and Spain, its expansion into Slovakia, Slovenia, and Czechia signals a new\r\nphase in its operational strategy.\r\nOur analysis reveals that Anatsa's activity can be classified as \"targeted,\" with threat actors focusing on 3-5\r\nregions at a time while promoting dropper applications on Google Play in these specific areas. These applications\r\noften reach the Top-3 in the \"Top New Free\" category, enhancing their credibility and lowering the guard of\r\npotential victims while increasing the chances of successful infiltration.\r\nhttps://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach\r\nPage 1 of 6\n\nThroughout this campaign, Anatsa's Modus Operandi has evolved, displaying more sophisticated tactics such as\r\nAccessibilityService abuse, a multi-staged infection process, and the ability to bypass Android 13's restricted\r\nsettings.\r\nNew droppers: technical details\r\nSome of the droppers in the campaign successfully exploited the AccessibilityService, despite Google\r\nPlay's enhanced detection and protection mechanisms.\r\nTo evade detection, all droppers employed a multi-staged approach, dynamically downloading\r\nconfiguration and malicious executable files from their command and control (C2) server, allowing the\r\nthreat actors to modify them as needed.\r\nAs reported in previous blogs, all droppers in this campaign have demonstrated the capability to bypass the\r\nrestricted settings for AccessibilityService in Android 13.\r\nForbidden techniques: abusing Accessibility Service\r\nAccessibilityService is a feature frequently exploited by mobile malware to carry out harmful activities.\r\nHistorically, malicious droppers on official app stores used AccessibilityService to automate the installation of\r\npayloads, enabling them to complete the installation process without user interaction and thereby increasing the\r\nsuccess rate of converting dropper installations into actual payload deployments.\r\nHowever, this tactic saw a decline after 2017, when Google updated its policy for apps on Google Play using\r\nAccessibilityService. Under the new policy, apps must provide a clear explanation for requiring\r\nAccessibilityService. This led to a noticeable decrease in its misuse by malicious droppers, which prompted a\r\nchange in its operational methods.\r\nRecent policy updates on Google Play have imposed even stricter restrictions on the use of AccessibilityService.\r\nFor an app to now use this service and be published on Google Play, it requires additional approval, significantly\r\nreducing the likelihood of malicious apps exploiting this feature.\r\nhttps://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach\r\nPage 2 of 6\n\nDespite being considered outdated, old tactics occasionally resurface in official app stores. In November 2023 we\r\nidentified a dropper on Google Play distributing the Anatsa malware. This dropper, disguised as a cleaner app,\r\nclaimed to require AccessibilityService as a means to \"hibernate draining apps.\" Initially, the app appeared\r\nharmless, with no malicious code and its AccessibilityService not engaging in any harmful activities. However, a\r\nweek after its release, an update introduced malicious code. This update altered the AccessibilityService\r\nfunctionality, enabling it to execute malicious actions such as automatically clicking buttons once it received a\r\nconfiguration from the C2 server.\r\nA unique aspect of this dropper was its malicious code, specifically targeting Samsung devices. The malicious\r\nAccessibilityService was tailored to interact with the UI elements of Samsung devices, meaning only Samsung\r\nusers were impacted in this phase of the campaign. This suggests that the threat actors initially developed and\r\ntested their code exclusively for Samsung devices.\r\nBased on our findings, we believe there is potential for future adaptations to target other manufacturers. In\r\ncontrast, other droppers in the campaign did not contain such manufacturer-specific code, posing a threat to all\r\ndevices regardless of the vendor.\r\nThe following code snippet shows how dropper filters work for the manufacturer and Android version, as well as\r\nthe location (once again showing the highly targeted approach of the actors).\r\nif (!Build.MANUFACTURER.equalsIgnoreCase(\"samsung\") || Build.VERSION.SDK_INT != 33) {\r\n Intent intent0 = new Intent(context0, class0);\r\n intent0.addFlags(0x10000000);\r\n context0.startActivity(intent0);\r\n return;\r\n}\r\nTelephonyManager telephonyManager0 = (TelephonyManager) context0.getSystemService(\"phone\");\r\nhttps://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach\r\nPage 3 of 6\n\nString s = telephonyManager0.getNetworkCountryIso().isEmpty() ? \"uat\" : telephonyManager0.getNetworkCountryIso(\r\nif (!s.startsWith(\"de\") \u0026\u0026 !s.startsWith(\"nl\") \u0026\u0026 !s.startsWith(\"es\") \u0026\u0026 !s.startsWith(\"gb\") \u0026\u0026 !s.startsWith(\"\r\n Intent intent1 = new Intent(context0, class0);\r\n intent1.addFlags(0x10000000);\r\n context0.startActivity(intent1);\r\n return;\r\n}\r\nInterestingly, the malicious code that handles accessibility events is located in an additional stage (DEX file) that\r\nis downloaded from the C2 and dynamically loaded into memory.\r\nMalicious puzzle: multiple stages to avoid detection\r\nTo avoid immediate detection, the actors strategically spread the malicious indicators across several stages. Our\r\nanalysts observed that the latest version of the dropper showed improvement, dynamically retrieving the following\r\nfiles from the command-and-control server:\r\n1. Configuration for the malicious DEX file. It contains strings necessary for malicious code, which might\r\ntrigger the detection mechanisms if they were placed in the dropper itself. The strings contain suspicious\r\nclass names like \"dalvik.system.InMemoryDexClassLoader\", the presence of which indicates the\r\nsuspicious intent to load the DEX file directly from the memory.\r\n2. DEX file containing malicious code responsible for payload installation. Having downloaded strings in the\r\nprevious step, the control flow is redirected to the loaded DEX file.\r\n3. Configuration with a payload URL. It allows cybercriminals to dynamically change the payload URL if the\r\nprevious one gets taken down.\r\n4. Payload. As a final step, the code in the DEX file loaded in step 2 downloads Anatsa, installs it and\r\nlaunches it.\r\nhttps://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach\r\nPage 4 of 6\n\nBypassing Android 13 restrictions\r\nThe droppers in the latest Anatsa campaign effectively install payloads, circumventing the AccessibilityService\r\nrestrictions of Android 13. This technique, capable of bypassing certain restrictions and previously covered in our\r\ndiscussion on several actors providing Dropper-as-a-Service, is increasingly being adopted by various actors. It\r\nensures that the droppers can install malicious payloads without having their access to AccessibilityService\r\nfunctionalities disabled.\r\nIn this campaign, all three droppers observed use this method and employ dynamically loaded DEX files, further\r\nenhancing their ability to evade detection by security engines.\r\nImpact: Device Takeover hits European banks\r\nFinancial organisations are advised to alert and educate their customers about the risks of installing\r\napplications from official stores and enabling AccessibilityService for applications that do not require\r\nthem.\r\nImplementing effective detection and monitoring for malicious applications and unusual customer account\r\nactivity is crucial in identifying fraud cases linked to device-takeover mobile malware such as Anatsa.\r\nAs of this report, the current campaign involves five droppers with over 100,000 total installations. Each\r\ninstallation poses a potential risk for Anatsa installation and subsequent fraud. In comparison, the previous\r\ncampaign in the first half of 2023 featured six different droppers, accumulating over 130,000 total installations.\r\nBased on this pattern, we anticipate the continuation of this campaign, with new droppers appearing in the official\r\nstore and an expansion into additional targeted regions. The threat actors have a history of shifting focus between\r\nregions within a single campaign.\r\nThe distribution strategy and remote access capabilities of Anatsa classify it as a critical threat in the targeted\r\nregions. Our threat intelligence indicates that these actors prefer concentrated attacks on specific regions rather\r\nthan a global spread, periodically shifting their focus. This targeted approach enables them to concentrate on a\r\nlimited number of financial organisations, leading to a high number of fraud cases in a short time. This not only\r\nincreases the burden on fraud analysts but also places significant strain on customer support teams.\r\nAnatsa is a banking Trojan with Device Takeover (DTO) capabilities that can gain full control over an infected\r\ndevice and execute actions on a victim’s behalf. Financial organisations should urgently educate their customers\r\nabout the risks of installing applications, even from official stores, and caution against enabling\r\nAccessibilityService for apps that don't require it for their supposed operations. In cases where customers report\r\nunusual device behaviour or unrecognised transactions, we advise institutions to inquire about recent activities\r\nsuch as newly installed applications and any permissions granted, particularly regarding AccessibilityService.\r\nEffective detection and monitoring of malicious applications, along with observing unusual customer account\r\nbehaviour, are crucial for identifying and investigating potential fraud cases linked to device-takeover mobile\r\nmalware like Anatsa.\r\nhttps://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach\r\nPage 5 of 6\n\nConclusion\r\nIn the ever-changing threat landscape, staying informed is the first step. Proactive measures are essential to\r\nsafeguarding your institution's mobile banking infrastructure. ThreatFabric's Mobile Threat Intelligence service is\r\ndesigned to provide actionable intelligence that can be integrated into your security strategy.\r\nOur continuous monitoring and analysis of threats such as Anatsa equips you with the knowledge needed to\r\nanticipate and mitigate these evolving risks. By partnering with ThreatFabric, you gain access to cutting-edge\r\nthreat intelligence, empowering you to protect your assets and maintain the trust of your customers in an\r\nincreasingly digital banking environment.\r\nStay vigilant, stay informed, and stay ahead with ThreatFabric.\r\nSource: https://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach\r\nhttps://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/anatsa-trojan-returns-targeting-europe-and-expanding-its-reach"
	],
	"report_names": [
		"anatsa-trojan-returns-targeting-europe-and-expanding-its-reach"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434477,
	"ts_updated_at": 1775826745,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/baae3d54109ed522bda22ba4fe88c7321a183de4.pdf",
		"text": "https://archive.orkl.eu/baae3d54109ed522bda22ba4fe88c7321a183de4.txt",
		"img": "https://archive.orkl.eu/baae3d54109ed522bda22ba4fe88c7321a183de4.jpg"
	}
}