In November 2023 [1] [3] [5] [6] [7], the Anatsa banking Trojan campaign resurged [5] [6] [7], targeting European banks in five distinct waves [5] [6], with specific countries being affected.


Threat actors have evolved their tactics to include AccessibilityService abuse [7], a multi-staged infection process [2] [5] [6] [7], and the ability to bypass Android’s restricted settings to distribute malicious droppers on Google Play [7]. Despite enhanced detection mechanisms [7], droppers in this campaign have successfully exploited AccessibilityService [7], dynamically downloading configuration and malicious executable files from their command and control server to evade detection [7]. Financial institutions are advised to educate customers about the risks of installing applications from official stores and enabling unnecessary AccessibilityService permissions [5] [6] [7]. With over 150,000 infections across the targeted countries, the threat posed by Anatsa remains significant [5]. Google has removed most Anatsa dropper apps from the Play Store [2] [4], except for one [2] [4], and users are advised to review user ratings and permissions before installing apps to mitigate the risk of financial fraud. The latest campaign also includes fake cleaner apps promising to free up space on devices [4], with ThreatFabric discovering that the malicious code update was introduced a week after the dropper app was uploaded [4], and user interface navigation parameters matching Samsung devices [4]. Effective detection and monitoring of malicious applications [6], along with observing unusual customer account behavior [6], are crucial for identifying and investigating potential fraud cases linked to device-takeover mobile malware like Anatsa [6].


Anatsa has expanded its focus to include Austria and Switzerland in a new campaign observed in November 2023 [1]. The trojan is distributed under the guise of seemingly innocuous apps on the Google Play Store [1], with droppers facilitating the installation of the malware by circumventing security measures [1]. The trojan is capable of gaining full control over infected devices [1], executing actions on a victim’s behalf [1], and stealing credentials for fraudulent transactions [1]. ThreatFabric researchers note that the actors behind Anatsa prefer concentrated attacks on specific regions [1], leading to a high number of fraud cases in a short time [1]. Continuous monitoring and proactive security measures are essential to mitigate the risk posed by Anatsa and similar threats in the future.