• Anatsa malware first emerged in 2020 as an Android banking trojan capable of credential theft, keylogging, and enabling fraudulent transactions.
• The latest variant of Anatsa targets over 831 financial institutions worldwide, adding new countries like Germany and South Korea, as well as cryptocurrency platforms.
• Anatsa streamlined payload delivery by replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the Anatsa payload.
• Anatsa implemented Data Encryption Standard (DES) runtime decryption and device-specific payload restrictions.
• Many of the decoy Antasta applications have individually exceeded 50,000 downloads.
• Alongside Anatsa, ThreatLabz identified and reported 77 malicious apps from various malware families to Google, collectively accounting for over 19 million installs.