A new report from Zscaler’s ThreatLabz has revealed a widespread malware campaign on the Google Play Store, uncovering 77 malicious Android applications with a staggering combined total of over 19 million installations. While investigating infections from the Anatsa (TeaBot) banking trojan, researchers found these apps were acting as droppers, a type of malware that appears benign but is designed to download and install a more dangerous payload. These apps, many of which had been downloaded tens of thousands of times, were not only spreading Anatsa but also delivering other malware families, such as Joker and Harly, indicating a broad and coordinated effort to infect Android devices.
The most concerning of these threats is the Anatsa banking trojan, a sophisticated piece of malware that has been active since 2020. This latest variant has significantly expanded its reach, now targeting over 831 financial institutions globally, including traditional banks, fintech services, and cryptocurrency platforms. Its geographical scope has also grown to include new regions like Germany and South Korea. Anatsa’s evolution makes it a more formidable threat than previous versions, as it no longer relies on dynamic code loading, instead directly installing its malicious payload to bypass security measures.
Anatsa’s developers have also implemented a range of advanced anti-analysis techniques to make detection more difficult. The trojan uses dynamic string decryption with a unique Data Encryption Standard (DES) key, which helps it resist static analysis tools. Furthermore, it incorporates emulation checks and device model verification to detect and evade dynamic analysis environments used by security researchers. These methods allow the malicious apps to maintain the appearance of a legitimate application, such as a file manager, until the conditions are right to deploy the Anatsa payload. If the conditions aren’t met, the app simply displays its fake interface and does nothing malicious, remaining undetected.
Once a device is successfully infected, Anatsa requests dangerous permissions, particularly Accessibility permissions, which it then uses to auto-enable other privileges. It establishes a hidden communication channel with its command-and-control (C2) server using XOR encryption. The core malicious function is its ability to capture banking credentials by overlaying fake login pages on top of legitimate banking applications when they are opened. The malware has specific templates for hundreds of financial apps, though some of these injection templates remain incomplete, showing that the malware is still under active development and improvement.
The Zscaler report highlights a disturbing trend of increasing malware on the Google Play Store. Alongside the Anatsa banking trojan, there has been a notable rise in other malware and adware families. This underscores the need for Android users to remain vigilant. Experts advise users to always verify the permissions an application requests and ensure they are necessary for the app’s functionality. For example, a simple file manager app has no legitimate reason to request access to your banking information. By exercising caution and checking app details and reviews, users can significantly reduce their risk of falling victim to such malicious campaigns.
Reference:
