Skip to main content


Home Anatsa

Anatsa

Also known as: TeaBot, Toddler, ReBot

Category: Malware

Type: Banking trojan

Platform: Android

Variants:

Damage potential: Stolen credentials, unauthorized transactions, financial loss, identity theft

Overview

Anatsa is a banking trojan that infects Android devices via trojanized apps or SMS phishing campaigns and allows cybercriminals to launch account takeover (ATO) attacks.

Attackers initially distributed Anatsa via SMS phishing campaigns, but recently they started using apps with malicious payloads to infiltrate devices. These apps serve as a dropper and they might come in different forms, from QR code apps to PDF readers and file cleaner apps.

When a user downloads such an app, Anatsa will start its own installation process in the background and request accessibility services permissions. If the user grants these permission, attackers will be able to view the user’s sensitive information (such as login credentials, 2FA codes, SMS messages) directly from the device’s screen and use this information to hijack the user’s financial accounts.

Possible symptoms

The most noticeable symptoms will be unauthorized logins and transactions. Additionally, there might be slowdowns and unfamiliar changes in system settings. You might see more ads, pop-ups, and browser redirects than usual and your battery might drain quickly without any apparent reason.

Sources of infection

SMS phishing campaigns, dropper apps, and malicious ads are the main sources of infection for this trojan.

Protection

To protect yourself against threats like Anatsa, you should be aware of common phishing techniques and be cautious while downloading apps.

  • Do not click on suspicious links in SMS messages and emails.
  • Only download reputable apps from official sources.
  • Use NordVPN’s Threat Protection Pro to scan downloads for viruses and block malicious ads.
  • Enable Threat Protection Pro’s vulnerability scanner to check your software for potential weaknesses.
  • Enable multi-factor authentication (MFA) where possible.
  • Install reliable antivirus software and keep it updated.
  • Update your operating system and all software regularly to benefit from the most recent security patches.

Removal

Manually removing Anatsa from your device might be challenging, so it’s best to use a reliable antivirus software for this.

  • Disconnect the infected device from the internet.
  • Restart your device in safe mode.
  • Run a full system scan with your antivirus software.
  • Detect the malicious app and delete it.
  • Run another system scan to ensure no traces of malware are left.
  • Change all passwords and monitor your accounts for suspicious activity.