Anatsa Malware Attacking Android Devices to Steal Login Credentials and Monitor Keystrokes

The Anatsa banking trojan, also known as TeaBot, continues to evolve as one of the most sophisticated Android malware threats targeting financial institutions worldwide.

First discovered in 2020, this malicious software has demonstrated remarkable persistence in infiltrating Android devices through the official Google Play Store, where it masquerades as legitimate document reading applications to steal user credentials and monitor keystrokes.

The malware employs a sophisticated dropper technique, distributing seemingly benign applications through Google’s official marketplace that appear as standard file managers or document readers.

Once installed, these decoy applications silently download malicious payloads disguised as routine software updates from command-and-control servers, effectively bypassing Google Play Store security mechanisms.

The latest campaigns have significantly expanded Anatsa’s reach to target over 831 financial institutions across multiple continents, including newly added regions such as Germany and South Korea, alongside numerous cryptocurrency platforms.

Zscaler analysts identified that many of these malicious decoy applications have individually exceeded 50,000 downloads, contributing to a broader ecosystem where 77 malicious applications from various malware families have collectively achieved over 19 million installations.

The researchers noted that Anatsa has streamlined its payload delivery mechanism by replacing dynamic code loading of remote Dalvik Executable files with direct installation of the core malicious payload.

Advanced Evasion and Persistence Mechanisms

The current Anatsa variant implements sophisticated anti-analysis techniques that significantly enhance its detection evasion capabilities.

The malware now employs Data Encryption Standard runtime decryption, dynamically generating DES keys to decrypt each string during execution, making static analysis considerably more challenging for security researchers.

The malware utilizes corrupted ZIP archives with invalid compression and encryption flags to conceal DEX files, which are deployed during runtime. This technique exploits weaknesses in standard ZIP header validation used by analysis tools while maintaining compatibility with Android devices.

Once successfully installed, Anatsa requests accessibility permissions and automatically enables critical system privileges including SYSTEM_ALERT_WINDOW, READ_SMS, and USE_FULL_SCREEN_INTENT.

Communication with command-and-control servers occurs through encrypted channels using a single-byte XOR encryption key (decimal value 66), with the malware maintaining connections to multiple C2 domains including 185.215.113.108:85 and 193.24.123.18:85 for redundancy and persistence.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.