Security experts from Zscaler ThreatLabz have revealed alarming new developments regarding Anatsa malware (TeaBot) campaigns infiltrating the Google Play Store. This latest variant is notably sophisticated, targeting over 831 financial institutions globally, including banks and cryptocurrency platforms.
Malicious actors are exploiting seemingly harmless document reader apps available on the Play Store as droppers. Once installed, these apps stealthily download the Anatsa payload from remote servers. Some of these applications reached over 50,000 downloads before being flagged and removed.
Technical Advancements of Anatsa Malware
The most recent Anatsa campaign incorporates advanced anti-analysis techniques:
- Strings are decrypted at runtime using a dynamic DES key, complicating static analysis efforts.
- The malware conducts device checks and emulation detection to evade sandbox testing.
- When running on unsuitable devices, the app presents a file manager view to appear legitimate.
In contrast to earlier versions that depended on remote DEX loading, this malware now directly installs its payload, enhancing reliability. It also frequently changes its package names and installation hashes to evade detection.
Upon installation, Anatsa requests accessibility permissions. If granted, it automatically activates additional permissions, including READ_SMS, RECEIVE_SMS, and SYSTEM_ALERT_WINDOW.
The malware communicates with its command-and-control servers using basic XOR encryption, enabling it to display counterfeit banking login screens that closely mimic actual apps, tricking users into entering their credentials. The stolen information is subsequently transmitted back to the attackers.
In addition to Anatsa, Zscaler researchers identified 77 other malicious apps spanning various malware families, collectively amassing over 19 million installations. While banking trojans like Anatsa and adware applications are on the rise, older threats such as Facestealer and Coper have seen a decline.
This report underscores the persistent threat of malware circumventing Google Play’s protective measures. Users are urged to scrutinize app permissions, steer clear of unknown developers, and ensure their devices are updated with the latest security patches.
