The Anatsa malware threat continues to loom over Android users, demonstrating resilience similar to infamous threats like Joker. First released in 2021, Anatsa has proven its ability to evolve, avoiding detection and creating more complex variants. The main purpose of the malware remains unchanged: to secretly infiltrate Android devices and make off with users’ hard-earned money. In a recent analysis conducted by Threat Fabric, Anatsa’s latest campaign revealed increased sophistication allowing it to bypass Android security measures and manipulate banking applications for financial theft.

Uncovering the Persistent Anatsa Android Malware Threat: A Closer Look at Evolving Tactics

Anatsa’s ingenious modus operandi

Android malware typically works through two main methods: using accessibility services and downloading malicious code after installation. Google has been vigilant in dealing with the former. Restrict accessibility services to specific applications and limit their use to those installed from trusted sources. However, these measures have proved insufficient to thwart the ingenuity of malware developers.

Threat Fabric highlights that malicious actors often disguise their malware within seemingly legitimate apps on Google Play, justifying the use of accessibility services. For example, a purported system cleaner app may claim to use Accessibility Services to hibernate the app. The next step in the criminal plan involves promoting the app through fake reviews, getting it to the top 3 of the rankings and reaching a significant user base – sometimes exceeding 10,000 installs before being removed from Google Play.

Anatsa uses a dropper technique where the initial application is clean on installation. However, a week later it secretly downloads the configuration to download malicious code. This strategic approach allows the malware to evade detection because the original application lacks explicit references to remote code downloads, which prevents alarms in detection systems.

Gizchina News of the week

The Endgame: Access, manipulation and financial theft

Anatsa’s ultimate goal is to enable both the malicious code and the accessibility service, allowing it to perform actions without requiring user intervention. This includes accessing sensitive applications such as banking applications and performing financial transactions. Threat Fabric highlights the growing trend of seemingly innocuous applications Google Play transforming into Trojans, bypassing the protections introduced in Android 13.

In Android 13, apps from third-party sources cannot enable accessibility service until the restrictions are removed. However, Anatsa circumvents this restriction by penetrating devices through Google Play where such restrictions do not apply. As a result, users are advised to be cautious, avoiding the temptation to trust unknown apps based solely on their high ranking in the app store, especially when searching for accessibility permissions.

Anatsa Malware Protection for Android

Defending against evolving threats like Anatsa requires adherence to conventional security practices. Users are strongly advised not to trust unknown apps, even if they boast top positions in the app store. The increased risk associated with apps requiring accessibility permissions calls for a cautious approach. Malware creators continue to adapt their strategies to exploit Android vulnerabilities. Emphasizing the need for users to remain vigilant and discerning in their choice of applications.


The Anatsa malware saga continues, posing a constant challenge to Android users. As the threat landscape evolves, it is critical for users to be informed, adopt reasonable security measures, and exercise discretion when granting app permissions. By understanding the evolving tactics used by malware like Anatsa, users can strengthen their defenses and navigate the digital landscape with greater resilience against financial cyberthreats.

Rebuttal: We may be compensated by some of the companies whose products we talk about, but our articles and reviews are always our honest opinions. For more details, you can view our editorial guidelines and learn how we use affiliate links.

Anatsa Malware: The Silent Threat Emptying Bank Accounts