Banking Trojan Anatsa Lurks in 90+ Google Play Apps: 5.5 Million Downloads

Specialists at Zscaler have identified over 90 malicious applications on Google Play, designed to distribute malware and adware, including the banking trojan Anatsa. These applications have been downloaded more than 5.5 million times.

Description of Anatsa (Teabot)

Anatsa is a banking trojan targeting over 650 financial institution applications in Europe, the USA, the UK, and Asia. The trojan steals online banking credentials to carry out fraudulent transactions. Since late 2023, Anatsa has infected devices at least 150,000 times through Google Play, utilizing various productivity applications.

Spread of Anatsa via Google Play

According to Zscaler, Anatsa has returned to Google Play, spreading through two lure applications: “PDF Reader & File Manager” and “QR Reader & File Manager.” At the time of analysis, these applications had been installed 70,000 times, indicating a high risk of evading Google’s review process.

Malware Delivery Mechanism

Anatsa employs a multi-stage payload delivery mechanism, involving four steps:

1. The application retrieves configuration and key strings from a C2 server.
2. A DEX file containing a malicious code dropper is downloaded and activated.
3. A configuration file with the URL of the Anatsa payload is downloaded.
4. The DEX file extracts and installs the malicious APK, completing the infection process.

Anti-Analysis and Protection

The DEX file conducts anti-analysis checks to ensure the malware does not run in sandboxed or emulated environments. Once launched, Anatsa downloads the bot configuration and application scan results, followed by injections tailored to the victim’s location and profile.

Other Malicious Applications

Over the past few months, Zscaler has discovered more than 90 malicious applications on Google Play, collectively installed 5.5 million times. Most of these masqueraded as personalization apps, photo utilities, productivity tools, and health and fitness applications.

The researchers did not disclose the names of all the applications nor clarified if they reported the campaign to Google. So far, two applications have been removed from Google Play.

According to Zscaler, several malware families dominate the market: Joker, Facestealer, Anatsa, Coper, and various adware applications. Although Anatsa and Coper constitute only 3% of the total malicious downloads, they are significantly more dangerous, capable of performing malicious actions and stealing sensitive information.

Recommendations for Users

When installing new applications from Google Play, always check the requested permissions and deny those associated with high-risk actions, such as access to accessibility services, SMS, and contact lists.