Name of Malware: Anatsa (Teabot, Troddler)

Type of Malware: Banking trojan

Affected Operating Systems: Android

Affected Device Types: Mobile phones, smartphones, tablets

Impact: high

What is Anatsa?

Anatsa is a banking Trojan for Android devices that gains full control over the infected device and can therefore perform transactions on behalf of the victim. Its main task is to steal bank information from the victim and carry out fraudulent transactions. Additionally, the malware is capable of stealing cryptocurrencies and exfiltrating various information about the victim.

How did I get infected with Anatsa?

Currently, Anatsa is being distributed through disguised Android applications in the official Google Play Store. These applications disguise themselves as useful tools such as PDF viewers ("PDF Viewer - File Explorer"), QR code scanners ("QR Code & BarCode Scanner"), or smartphone cleaners ("Phone Cleaner - File Explorer"). However, they actually install the Anatsa malware on the device. In other cases, victims received an SMS with a request to click on a link that leads to the download of such an app. The apps always need to be actively installed

What do I have to do now?

The compromised device can be disinfected by removing the app, which Anatsa will try to prevent. It may be necessary to perform a factory reset.

Further information can be found under Removing infections on smartphones and tablets.

Technical specifications

Further information on this malware can be found on the website of our project partner Fraunhofer FKIE.