Security researchers have identified a sophisticated Android banking trojan campaign that accumulated over 220,000 downloads on the Google Play Store through a malicious file manager application. The malware, known as Anatsa or TeaBot, was discovered by ThreatLabz during routine analysis of Google Play offerings. The discovery comes amid Google’s ongoing efforts to combat malicious applications, which resulted in blocking 2.36 million harmful apps in 2024 alone.
The malicious application presented itself as a legitimate file management tool with document preview capabilities and cloud storage integration. The functionality enabled it to circumvent automated security checks during Google Play’s initial vetting process, demonstrating the evolving sophistication of mobile threats that Google’s SafetyCore initiative aims to address.
The Anatsa banking trojan operates by deploying overlay attacks and credential harvesting techniques. When users access banking applications, the malware displays counterfeit login screens that mirror legitimate interfaces. The captured credentials are subsequently transmitted to servers controlled by the attackers. The technique has become increasingly common, as noted in previous warnings about malicious apps targeting financial services.
The malware implements sophisticated evasion methods, including delayed payload activation and encrypted communication channels. After infection, it maintains persistence by repeatedly checking for accessibility service permissions and conceals itself using generic system application icons, similar to the techniques observed in the recent “ghost tapping” malware campaigns.
The attack chain begins when users install what appears to be a “File Manager and Document Reader.” The dropper application then prompts users to download a purported “update” hosted on GitHub repositories, which contains the actual Anatsa banking trojan. The malware uses reflection-based code execution to dynamically load malicious Dalvik Executable files, performing anti-emulation checks before activating its payload.
Once active, Anatsa requests critical permissions including Accessibility Services for keystroke logging and SMS access for intercepting two-factor authentication messages. The exploitation of SMS-based authentication comes as federal agencies warn against the vulnerabilities of SMS-based 2FA. The trojan establishes communication with command-and-control servers to receive targeted banking app profiles and deploy fake login overlays for various financial applications including PayPal, HSBC, and Santander.
Google removed the application within 48 hours of notification and initiated a mass uninstallation campaign for affected devices. Users who disabled automatic updates will need to manually remove the application. The swift response matches Google’s enhanced security measures and automated threat detection systems implemented in 2024.
The malware’s multilingual interface, supporting English, Spanish, German, and French, indicates a broad targeting strategy across multiple geographic regions with high mobile banking adoption rates. The development comes as financial institutions worldwide are strengthening their security measures, with some like the Bank of Thailand mandating biometric authentication for mobile banking transactions.
Sources: GBHackers, Cybersecurity News
Follow Us