A sophisticated Android banking trojan campaign leveraging a malicious file manager application accumulated over 220,000 downloads on the Google Play Store before its removal.\u00a0<\/p>\n
Dubbed Anatsa (also known as TeaBot), the malware targets global financial institutions through a multi-stage infection process. It deploys fake login overlays and abuses accessibility services to steal credentials and execute unauthorized transactions.<\/p>\n
Anatsa\u2019s Attack Chain<\/strong><\/h2>\nAccording to the Zscaler ThreatLabz post shared on X, the malicious app, disguised as a \u201cFile Manager and Document Reader,\u201d functioned as a dropper, a seemingly benign application that retrieves and installs additional payloads from remote servers.\u00a0<\/p>\n![\"\"](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXePGBEvs0V_1zB9-LtGUiHluxQB_Aifk_M2xSMEnht1KB9XwcaZWTJg2KggulYUY2GQAayT1re4E801AlVHKVBrJs-MWmLceROcILHk1YrftZiihbtyypGMKrwNbFwlkRAo_Zyx?key=cAE0r6MhFBwGe-yFEv1Hplrg\")
App disguised as a file manager and document reader<\/figcaption><\/figure>\nThe app prompted users to download a fraudulent \u201cupdate\u201d masquerading as a necessary add-on upon installation. This update, hosted on GitHub repositories, contained the Anatsa banking trojan.<\/p>\n
Anatsa employs reflection-based code execution to dynamically load malicious Dalvik Executable (DEX) files, which evade static analysis tools by decrypting payloads only at runtime.\u00a0<\/p>\n
The malware performs anti-emulation checks to detect sandboxed environments, delaying malicious activity until it confirms a genuine device. Once active, it requests critical permissions, including:<\/p>\n
\n- \nAccessibility Services:<\/strong> To log keystrokes<\/a>, intercept SMS messages, and manipulate screen content.<\/li>\n
- \nSMS Access:<\/strong> To bypass two-factor authentication (2FA) mechanisms<\/li>\n<\/ul>\n
The trojan then establishes communication with command-and-control (C2) servers<\/a>, transmitting device metadata and receiving targeted banking app profiles.\u00a0<\/p>\nFor each detected financial app (e.g., PayPal, HSBC, Santander), Anatsa injects a counterfeit login overlay, capturing credentials directly from unsuspecting users.<\/p>\n
Anatsa\u2019s latest campaign has primarily targeted users in Europe, including Slovakia, Slovenia, and Czechia, though its infrastructure supports expansion into the U.S., South Korea, and Singapore.\u00a0<\/p>\n
The malware\u2019s target list encompasses over 600 banking and cryptocurrency apps, enabling threat actors to conduct on-device fraud (ODF) by initiating unauthorized transfers via automated transaction systems (ATS).<\/p>\n
\nMitigations<\/strong>\u00a0<\/h2>\nTo mitigate risks, users should:<\/p>\n
\n- \nAvoid sideloading:<\/strong> Disable \u201cInstall from unknown sources\u201d in device settings.<\/li>\n
- \nAudit app permissions:<\/strong> Revoke accessibility and SMS access for non-essential apps.<\/li>\n
- \nMonitor for updates:<\/strong> Legitimate apps update via official stores, not third-party links.<\/li>\n<\/ul>\n
The Anatsa campaign underscores persistent gaps in app store security, particularly regarding delayed payload attacks.\u00a0<\/p>\n
While Google has removed the identified dropper, similar threats remain prevalent, often exploiting file managers and utility apps to evade suspicion.\u00a0<\/p>\n
For end-users, vigilance and adherence to basic security hygiene remain critical defenses against evolving mobile threats<\/a>.<\/p>\nIndicators of Compromise (IoCs):<\/strong><\/p>\nNetwork:<\/strong><\/p>\nhxxps:\/\/docsresearchgroup[.]com
http:\/\/37.235.54[.]59\/
http:\/\/91.215.85[.]55:85<\/pre>\nSample MD5s:<\/strong><\/p>\na4973b21e77726a88aca1b57af70cc0a
ed8ea4dc43da437f81bef8d5dc688bdb<\/pre>\nCollect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup ->\u00a0Try for free<\/a><\/code><\/strong><\/strong><\/p>\nThe post Android App With 220,000+ Downloads From Google Play Installs Banking Trojan<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
The app prompted users to download a fraudulent \u201cupdate\u201d masquerading as a necessary add-on upon installation. This update, hosted on GitHub repositories, contained the Anatsa banking trojan.<\/p>\n
Anatsa employs reflection-based code execution to dynamically load malicious Dalvik Executable (DEX) files, which evade static analysis tools by decrypting payloads only at runtime.\u00a0<\/p>\n
The malware performs anti-emulation checks to detect sandboxed environments, delaying malicious activity until it confirms a genuine device. Once active, it requests critical permissions, including:<\/p>\n
- \n
- \nAccessibility Services:<\/strong> To log keystrokes<\/a>, intercept SMS messages, and manipulate screen content.<\/li>\n
- \nSMS Access:<\/strong> To bypass two-factor authentication (2FA) mechanisms<\/li>\n<\/ul>\n
The trojan then establishes communication with command-and-control (C2) servers<\/a>, transmitting device metadata and receiving targeted banking app profiles.\u00a0<\/p>\n
For each detected financial app (e.g., PayPal, HSBC, Santander), Anatsa injects a counterfeit login overlay, capturing credentials directly from unsuspecting users.<\/p>\n
Anatsa\u2019s latest campaign has primarily targeted users in Europe, including Slovakia, Slovenia, and Czechia, though its infrastructure supports expansion into the U.S., South Korea, and Singapore.\u00a0<\/p>\n
The malware\u2019s target list encompasses over 600 banking and cryptocurrency apps, enabling threat actors to conduct on-device fraud (ODF) by initiating unauthorized transfers via automated transaction systems (ATS).<\/p>\n
\nMitigations<\/strong>\u00a0<\/h2>\n
To mitigate risks, users should:<\/p>\n
- \n
- \nAvoid sideloading:<\/strong> Disable \u201cInstall from unknown sources\u201d in device settings.<\/li>\n
- \nAudit app permissions:<\/strong> Revoke accessibility and SMS access for non-essential apps.<\/li>\n
- \nMonitor for updates:<\/strong> Legitimate apps update via official stores, not third-party links.<\/li>\n<\/ul>\n
The Anatsa campaign underscores persistent gaps in app store security, particularly regarding delayed payload attacks.\u00a0<\/p>\n
While Google has removed the identified dropper, similar threats remain prevalent, often exploiting file managers and utility apps to evade suspicion.\u00a0<\/p>\n
For end-users, vigilance and adherence to basic security hygiene remain critical defenses against evolving mobile threats<\/a>.<\/p>\n
Indicators of Compromise (IoCs):<\/strong><\/p>\n
Network:<\/strong><\/p>\n
hxxps:\/\/docsresearchgroup[.]com
http:\/\/37.235.54[.]59\/
http:\/\/91.215.85[.]55:85<\/pre>\nSample MD5s:<\/strong><\/p>\n
a4973b21e77726a88aca1b57af70cc0a
ed8ea4dc43da437f81bef8d5dc688bdb<\/pre>\nCollect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup ->\u00a0Try for free<\/a><\/code><\/strong><\/strong><\/p>\nThe post Android App With 220,000+ Downloads From Google Play Installs Banking Trojan<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
- \nAudit app permissions:<\/strong> Revoke accessibility and SMS access for non-essential apps.<\/li>\n
- \nSMS Access:<\/strong> To bypass two-factor authentication (2FA) mechanisms<\/li>\n<\/ul>\n