The banking Trojan invisibly infects devices using popular apps.
Zscaler discovered more than 90 malicious apps on Google Play designed to distribute malware and adware, including the Anatsa banking Trojan. The apps have been downloaded more than 5.5 million times.
Description of Anatsa (Teabot)
Anatsa is a banking Trojan that targets more than 650 applications of financial institutions in Europe, the United States, the United Kingdom, and Asia. The Trojan steals the credentials of online banks to perform fraudulent transactions. Since the end of 2023, Anatsa has infected devices at least 150,000 times through Google Play, using various apps from the performance enhancement category.
Anatsa distribution via Google Play
According to Zscaler, Anatsa has returned to Google Play and is distributed through two bait apps: "PDF Reader & File Manager "and"QR Reader & File Manager". At the time of analysis, the apps were installed 70,000 times, which indicates a high risk of them escaping the Google review process.
Anatsa Dropper Apps
Malware delivery mechanism
Anatsa uses a multi-stage payload delivery mechanism that includes four stages:
Steps for downloading malware
Anti-analysis and protection
The DEX file performs anti-analysis system checks to ensure that malware is not running in sandboxes or emulating environments. Once launched, Anatsa loads the bot configuration and application scan results, and then loads the injections corresponding to the victim's location and profile.
Other malicious apps
Over the past few months, Zscaler has detected more than 90 malicious apps on Google Play, which have been installed a total of 5.5 million times. Most of them disguised themselves as personalization apps, photo utilities, productivity apps, and health and fitness apps.
The researchers did not disclose the names of all the apps and did not specify whether they reported the campaign to Google. At the moment, 2 apps have been removed from Google Play.
According to Zscaler, the market is dominated by several malware families: Joker, Facestealer, Anatsa, Coper, and various advertising applications. Despite the fact that Anatsa and Coper make up only 3% of the total number of malicious downloads, they are much more dangerous, as they are able to perform malicious actions and steal confidential information.
Malware (left) and types of dropper apps (right)
Recommendations for users
When installing new apps on Google Play, be sure to check the requested permissions and reject those related to high-risk activities, such as access to the accessibility service, SMS, and contact list.
Zscaler discovered more than 90 malicious apps on Google Play designed to distribute malware and adware, including the Anatsa banking Trojan. The apps have been downloaded more than 5.5 million times.
Description of Anatsa (Teabot)
Anatsa is a banking Trojan that targets more than 650 applications of financial institutions in Europe, the United States, the United Kingdom, and Asia. The Trojan steals the credentials of online banks to perform fraudulent transactions. Since the end of 2023, Anatsa has infected devices at least 150,000 times through Google Play, using various apps from the performance enhancement category.
Anatsa distribution via Google Play
According to Zscaler, Anatsa has returned to Google Play and is distributed through two bait apps: "PDF Reader & File Manager "and"QR Reader & File Manager". At the time of analysis, the apps were installed 70,000 times, which indicates a high risk of them escaping the Google review process.
Anatsa Dropper Apps
Malware delivery mechanism
Anatsa uses a multi-stage payload delivery mechanism that includes four stages:
- The application receives configuration and important strings from the C2 server;
- A DEX file with malicious dropper code is loaded and activated;
- A configuration file is loaded with the URL of the Anatsa payload;
- The DEX file extracts and installs the malware (APK), completing the infection process.
Steps for downloading malware
Anti-analysis and protection
The DEX file performs anti-analysis system checks to ensure that malware is not running in sandboxes or emulating environments. Once launched, Anatsa loads the bot configuration and application scan results, and then loads the injections corresponding to the victim's location and profile.
Other malicious apps
Over the past few months, Zscaler has detected more than 90 malicious apps on Google Play, which have been installed a total of 5.5 million times. Most of them disguised themselves as personalization apps, photo utilities, productivity apps, and health and fitness apps.
The researchers did not disclose the names of all the apps and did not specify whether they reported the campaign to Google. At the moment, 2 apps have been removed from Google Play.
According to Zscaler, the market is dominated by several malware families: Joker, Facestealer, Anatsa, Coper, and various advertising applications. Despite the fact that Anatsa and Coper make up only 3% of the total number of malicious downloads, they are much more dangerous, as they are able to perform malicious actions and steal confidential information.
Malware (left) and types of dropper apps (right)
Recommendations for users
When installing new apps on Google Play, be sure to check the requested permissions and reject those related to high-risk activities, such as access to the accessibility service, SMS, and contact list.
