Mobile Malware Alert: Anatsa Targets Travel Firms for Financial Fraud - Cyber and Fraud Centre

Overview

A sophisticated strain of mobile banking malware known as Anatsa has resurfaced, now targeting travel firms and their customers for financial fraud. Anatsa differs from other malware in that it operates covertly, often leaving victims unaware until unauthorised transactions have already occurred.

What Is Anatsa?

Anatsa is a banking Trojan that primarily targets Android devices. First identified in 2021, the malware has evolved significantly, using techniques such as app impersonation, accessibility service abuse and overlay attacks.

The latest campaign sees Anatsa targeting users through seemingly legitimate apps (often travel-related services) which are either malicious from the outset or become compromised. Once installed, the malware uses Android’s accessibility services to silently grant itself extended privileges, operating with near-complete control over the device.

Tactics, Techniques and Procedures (TTPs):

Initial Access: Anatsa is delivered via trojanised applications hosted on unofficial platforms or legitimate-looking websites. Users are often lured with offers related to travel bookings, rewards, or loyalty schemes.
Credential Harvesting: Using keylogging and screen overlay techniques, Anatsa mimics banking app login screens to capture credentials.
Bypassing Two-Factor Authentication (2FA): Because Anatsa operates at the system level, it can intercept or read two-factor authentication messages, sometimes even approving authentication prompts.
Cash-Out: Once access is gained, threat actors initiate unauthorised payments or transfers using the stolen card or account information.

Why Are Travel Firms Being Targeted?

Travel firms are an attractive target due to the volume of transactions involving high-value bookings and frequent card usage. Fraudulent transactions in this context may not immediately raise red flags, especially during peak travel seasons. Additionally, customers may be more likely to install third-party travel-related apps while making bookings on the go.

What to Look Out For

Anatsa is designed to remain hidden, but potential indicators of compromise include:

Battery draining unusually fast.
Device becoming slower or behaving erratically.
Unfamiliar apps appearing on the device.
Unauthorised banking activity.

How to Protect Yourself

Keep your device updated with the latest security patches.
Install apps only from trusted sources such as the Google Play Store or official company websites.
Review app permissions, particularly those requesting access to Accessibility Services.
Use reputable mobile security software that can detect and prevent mobile malware.
Regularly monitor bank statements regularly and enable alerts for transactions.

If You Think Your Device Is Compromised

Disconnect your device from all networks.
Change all passwords using a secure, uninfected device.
Contact your bank immediately to report any suspicious activity.
Reset your device to factory settings, and restore data only from verified, clean backups.
Report the incident to the Cyber and Fraud Centre Scotland and Police Scotland.

Mobile malware is a risk that is often overlooked but represents a real threat, as highlighted by our financial partners. It can affect individuals as much as industry sectors like travel. Be alert to the signs of infection and take proactive steps to protect your devices and financial information.

07.05.25

Threat Intelligence Alerts