Anatsa Malware Description
A new threatening and sophisticated Android banking Trojan is being deployed against users in the Netherlands. The threat was named Anatsa malware by the researchers who detected the smishing campaign that deployed it. The threatening capabilities of Anatsa are truly impressive and go far beyond what a normal banking Trojan is equipped with.
At the most basic level, Anatsa can collect user credentials through overlay attacks. The overlays are downloaded and stored on the infected device and then launched locally when needed. The threat can establish keylogging routines, as well as access and exfiltrate contact information and device details. However, one of the most threatening aspects of the Anatsa malware is its ability to exploit accessibility logging. As a result, the threat can obtain information being displayed on the device's screen. Furthermore, it allows the malware to interact with the UI elements and record all information displayed inside them. The threat actor can leverage this functionality of the threat to conduct what is known as on-device fraud - the cybercriminals use the compromised device to commit fraudulent activities.
The Anatsa malware also can act as a RAT (Remote Access Trojan). If the malware strain receives a specific command ('start_client') from its Command-and-Control server, it will initiate a connection to a specific IP address and port. This communication channel can then be exploited by the threat actor to send and receive data and give additional commands to the malware tool. The cybercriminals can stop and uninstall chosen applications on the device, perform gestures, mute the device, collect Google authenticator codes and more.
Getting rid of the Anatsa malware can prove to be a tricky process. The threat prevents its victims from using the Android Settings to uninstall it. At the same time, it also intervenes and stops the user from rebooting or shutting down the compromised device.