Anatsa Android Trojan Expands Its Global Reach and Targets 831 Financial Apps
Researchers at Zscaler ThreatLabz have released a new report on the evolution of the banking trojan Anatsa (also known as TeaBot), first discovered in 2020. This malware targets Android devices and is designed to steal credentials, intercept keystrokes, and execute fraudulent transactions. In recent months, its capabilities have expanded significantly, while the geographical scope of its attacks has widened to include new countries and services, among them cryptocurrency platforms.
Whereas in previous campaigns Anatsa had targeted over 650 financial institutions, the number of victims has now surpassed 831, including banks in Germany and South Korea. The malware continues to spread primarily through malicious applications distributed via Google Play, disguised as seemingly harmless tools such as “document readers.” Once installed, these apps connect to a command-and-control (C2) server and fetch the malicious payload under the guise of an update, bypassing the store’s security mechanisms.
The latest version no longer relies on dynamically loading remote DEX modules, instead installing its malicious component directly. The code incorporates anti-analysis measures: strings are encrypted with the DES algorithm and decrypted in memory on the fly, complicating static inspection. The trojan also checks device models and environmental conditions to detect execution within emulators or sandboxes. If no suspicious signs are found and the server is reachable, the main module is downloaded; otherwise, the user is shown an interface resembling a simple file manager.
The developers have gone further, employing obfuscation through corrupted ZIP archives. Within the APK, the DEX file is stored with invalid compression and encryption flags, preventing standard analysis tools from processing its contents correctly. On real devices, however, the app executes without issue. In addition, Anatsa uses popular APK packers and deletes temporary files immediately after launch.
Once installed, the trojan requests accessibility permissions. If granted, it silently activates additional rights, including reading and receiving SMS messages, overlaying windows, and enabling full-screen notifications. This allows it to intercept one-time passcodes, display fake login forms, and gain deeper control over device activity. Communication with its C2 server is obfuscated with a simple XOR key, while commands are delivered in JSON format. Configuration files include target lists, keylogger versions, inject modules, and associated domains.
The primary method of credential theft remains the injection of fake login screens into mobile banking applications. The trojan fetches HTML templates from its server and presents them to the victim, perfectly imitating the authentication page of a targeted bank or crypto service. Some of these templates are still under development — as seen in the Robinhood example, where instead of a login form, users encountered a placeholder message about “technical maintenance.”
The scale of the campaign is striking. Some counterfeit apps have amassed over 50,000 downloads. Parallel research uncovered another 77 malicious applications from different malware families on Google Play, collectively installed more than 19 million times. The most prevalent families remain Anatsa, Joker, and Harly, while activity linked to Facestealer and Coper appears to be waning. Attackers most often disguise their droppers as office tools, system utilities, or media apps, categories that continue to attract unsuspecting users.
The findings underscore how Anatsa continues to evolve, adopting new anti-analysis techniques while broadening its reach across financial and crypto platforms. This case once again highlights a sobering reality: even apps downloaded from the official Google Play Store may pose severe risks if users fail to scrutinize requested permissions and verify their origins.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
