Anatsa

Anatsa is an Android banking trojan, also referred to in the provided content as TeaBot and Toddler. It is designed to steal banking credentials and other sensitive financial information and to enable fraudulent transactions directly from infected devices, including draining bank accounts. The malware has repeatedly been distributed through malicious Android applications on the Google Play Store, especially productivity, utility, file manager, PDF viewer, and document reader apps that appear legitimate. Reported lures include fake document reader and file manager applications such as “Document Viewer - File Reader,” “Document Reader – File Manager,” and “All Document Reader,” with campaigns reaching from more than 10,000 to over 50,000 downloads, and broader reporting also noting malicious apps with more than 19 million installs spreading Anatsa and other malware.

The observed delivery method is a dropper or two-stage installer approach intended to evade Google Play review and Play Protect scanning. In these campaigns, the initial app appears benign and functional, then contacts a remote server after installation to fetch the Anatsa payload, including payloads disguised as text documents. Reported package names include com.groundstation.informationcontrol.filestation_browsefiles_readdocs and com.recursivestd.highlogic.stellargrid. One reported payload URL is http://23.251.108[.]10:8080/privacy.txt.

Once active, Anatsa seeks advanced permissions, particularly abuse of Android Accessibility Services. The malware uses accessibility access to read screen content, capture keystrokes, interact with the device, intercept sensitive user input, and in some reporting intercept SMS messages and multi-factor authentication codes. It monitors for targeted banking and financial applications and launches overlay attacks by displaying fake login screens over legitimate banking apps to steal usernames, passwords, and authentication data. The content also states that Anatsa can perform credential logging, interfere with legitimate app interactions, and operate from the victim’s trusted device context, helping bypass traditional bank fraud detection and standard authentication controls.

The latest variant described in the content targets more than 831 financial institutions and cryptocurrency platforms worldwide, with specific reporting of targets in Germany, South Korea, the United States, and Canada. The malware family has been described as active since 2020 and as continuously evolving. Reported anti-analysis and evasion features include obfuscation, emulator-evasion, emulation checks, device-model verification, hiding a DEX file inside a corrupted ZIP archive with invalid compression flags, runtime-only execution with immediate deletion, embedding payload content inside a JSON file that is dropped and erased during execution, and encrypting command-and-control traffic with a single-byte XOR key. If a sandbox or testing environment is detected, one report says the app displays a clean file manager interface instead of launching the trojan.

Associated infrastructure and indicators mentioned in the content include installer SHA-256 5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20, payload SHA-256 88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f, and command-and-control endpoints http://172.86.91[.]94/api/, http://193.24.123[.]18:85/api/, and http://162.252.173[.]37:85/api/. The content also links Anatsa-related operations to residential proxy abuse used to obscure fraudulent banking activity; SI-CERT specifically analyzed the residential proxy component in one case involving fraudulent bank access appearing to originate from a Slovenian IP address tied to an unwitting proxy user.