Skip to content

Anatsa

Anatsa is an Android banking trojan that pioneered on-device Automated Transfer System (ATS) fraud through Google Play Store distribution. Active since January 2021, it uses accessibility services to initiate bank transfers directly from the victim's device, bypassing "new device enrollment" checks that banks rely on to detect fraud. Its persistent ability to land dropper apps on Google Play, combined with a growing target list of 800+ financial institutions, makes it one of the most operationally successful Android banking trojans.

Overview

Attribute Details
First Seen January 2021
Status Active (2025)
Type Banking trojan, ATS fraud
Aliases TeaBot, Toddler
Attribution Unknown, financially motivated
Distribution Google Play Store droppers, sideloading

Origin and Lineage

Cleafy's Threat Intelligence team discovered Anatsa in early January 2021 while monitoring banking fraud campaigns targeting European institutions. Cleafy tracked it under the name TeaBot. The malware appeared to be written from scratch with no codebase overlap with existing families like Cerberus, Anubis, or FluBot.

ThreatFabric independently identified the same family and tracked it as Anatsa, first spotting dropper apps on Google Play in June 2021. By November 2021, ThreatFabric had documented six distinct Anatsa droppers that had been published to the Play Store since that initial June discovery.

The family has been under continuous development since its emergence. The operators consistently refine their dropper strategy, rotating between PDF readers, QR scanners, file managers, and document apps to pass Google Play review.

Distribution

Anatsa's primary distribution vector is the Google Play Store through dropper apps that initially pass review as legitimate utilities, then receive a malicious update after accumulating installs.

Date Dropper Type Installs Source
June 2021 Document scanner ~10,000 ThreatFabric
March 2022 QR code reader, PDF reader ~10,000+ Hacker News
March 2023 PDF reader, business suite 30,000+ ThreatFabric
November 2023 Various utility apps 100,000+ (5 waves) ThreatFabric
February 2024 Utility apps 150,000+ Bleeping Computer

The dropper pattern is consistent: apps are published as functional utilities, spend several weeks building installs and positive reviews, then push a malicious update. The payload is fetched from C2 rather than bundled in the dropper APK, making static detection at upload time difficult.

Cleafy documented the global expansion of distribution, noting that within a year of initial discovery, the target list grew from 60 to over 400 financial apps.

Capabilities

Core Features

Capability Implementation
Overlay attacks WebView-based injects downloaded from C2, triggered by accessibility events
ATS fraud Accessibility service performs transfers in the real banking app
Keylogging Captures all text input via accessibility event monitoring
Screen streaming Real-time device screen fed to operator on demand
SMS interception Reads, intercepts, and hides incoming SMS for 2FA bypass
Google Authenticator theft Reads TOTP codes from authenticator apps via accessibility
Remote interaction Full device control through accessibility gestures

ATS Implementation

The ATS engine is Anatsa's primary differentiator. Once the victim opens a banking app and logs in (credentials captured via overlay or keylogger), the malware:

  1. Waits for the session to be established
  2. Uses accessibility services to navigate the banking app
  3. Fills in transfer details (recipient, amount) from C2-provided instructions
  4. Confirms the transaction using captured 2FA codes
  5. Returns to the previous screen state

This happens on the victim's own device, within the victim's active banking session, making it invisible to server-side fraud detection that looks for new device registrations or unusual device fingerprints.

Anti-Analysis

Zscaler ThreatLabz documented several evasion techniques in recent samples:

Technique Details
String encryption DES encryption with dynamically generated keys
DEX payload hiding Concealed within JSON files, dropped at runtime, deleted after loading
Archive corruption Invalid compression/encryption flags to defeat static analysis
Emulator detection Checks device model and environment properties
Multi-stage loading Dropper fetches payload from C2, payload decrypts and loads secondary DEX

Technical Details

C2 Communication

C2 traffic is encrypted using single-byte XOR (key: 0x42 / 66 decimal) and transmitted as JSON payloads. Configuration data includes domain lists, inject version numbers, keylogger settings, and command queues.

The C2 infrastructure provides:

  • Target app lists and corresponding inject URLs
  • ATS scripts specifying transfer parameters
  • Updated configurations for regional targeting
  • Commands for on-demand screen streaming sessions

Accessibility Service Permissions

Once installed, Anatsa requests the accessibility service permission. Upon receiving it, the malware auto-enables additional permissions through accessibility:

Permissions

Permission Purpose
BIND_ACCESSIBILITY_SERVICE Core dependency for overlay triggering, ATS fraud, keylogging, and remote interaction
SYSTEM_ALERT_WINDOW Display overlay injections over banking apps
READ_SMS Read SMS messages for OTP interception
RECEIVE_SMS Intercept incoming SMS in real-time
USE_FULL_SCREEN_INTENT Display full-screen phishing prompts
INTERNET C2 communication
REQUEST_INSTALL_PACKAGES Dropper installs main payload

Target Regions and Financial Institutions

Anatsa's targeting has expanded significantly since 2021.

Period Primary Targets
Early 2021 Spain, Germany, Italy
Late 2021 Netherlands, Belgium, UK
2022 Expanded EU (Austria, Switzerland)
2023 US, UK, DACH region (Germany, Austria, Switzerland)
Late 2023 Slovakia, Slovenia, Czech Republic
2024 North America (US, Canada)

ThreatFabric reported the North American expansion in 2024, noting the operators used the same proven Play Store dropper playbook refined across years of European campaigns.

As of late 2024, Zscaler ThreatLabz estimates Anatsa targets over 800 financial institutions and cryptocurrency platforms worldwide.

Notable Campaigns

January-May 2021: Cleafy's initial discovery documented TeaBot targeting 60 European banks across Spain, Germany, and Italy. The trojan combined overlay attacks with accessibility-based device interaction.

June-November 2021: ThreatFabric identified six droppers on Google Play delivering Anatsa. This campaign established the Play Store dropper-as-delivery pattern that would define Anatsa's operations going forward.

March 2023: ThreatFabric documented a campaign targeting UK and DACH region banks through PDF reader dropper apps, accumulating 30,000+ installs before detection.

June 2023: The Hacker News reported Anatsa expanding to target US, UK, German, Austrian, and Swiss banking customers.

November 2023-January 2024: ThreatFabric tracked five distinct campaign waves targeting different European regions sequentially, with combined dropper installs exceeding 100,000.

February 2024: Anatsa bypassed updated Google Play security to land new dropper apps, demonstrating the operators' ability to adapt to evolving store protections.

May-July 2025: ThreatFabric documented a third North American campaign targeting US and Canadian banking customers via Google Play. A dropper disguised as a PDF reader was published on May 7, 2025, and reached #4 in the "Top Free - Tools" category by June 29, 2025, accumulating approximately 90,000 downloads. After installation, the app pushed a fake "PDF Update" notification containing the Anatsa payload. The operators reused the same proven Play Store dropper playbook refined across years of European campaigns.

References