Android Under Siege as Hackers Harvest Credentials and Track Keystrokes

The Zscaler ThreatLabz team has uncovered significant advancements in the Anatsa malware, also known as TeaBot, an Android banking trojan that has been active since 2020.

Originally designed for credential theft, keylogging, and facilitating fraudulent transactions, Anatsa has evolved into a more sophisticated threat, now targeting over 831 financial institutions worldwide.

This expansion includes new regions such as Germany and South Korea, along with cryptocurrency platforms, marking a substantial increase from its previous scope of around 650 targets primarily in Europe, the US, and the UK.

Evolution of a Persistent Banking Trojan

Threat actors behind Anatsa employ decoy applications disguised as benign tools like document readers or file managers, distributed through the Google Play Store.

These droppers appear legitimate upon installation but covertly fetch malicious payloads from command-and-control (C2) servers, masquerading as updates to evade Google’s detection mechanisms.

In a notable shift from earlier variants, the latest Anatsa streamlines payload delivery by abandoning dynamic code loading of remote Dalvik Executable (DEX) files in favor of direct installation, enhancing efficiency and stealth.

Furthermore, it incorporates runtime decryption using the Data Encryption Standard (DES) with dynamically generated keys, rendering strings resistant to static analysis.

Device-specific restrictions and emulation checks are also implemented to thwart dynamic analysis environments, ensuring the malware only activates on genuine, targeted devices.

If checks fail, the app reverts to a harmless file manager interface, maintaining its facade.

Enhanced Evasion Tactics

Delving deeper into its technical makeup, Anatsa now features anti-analysis enhancements, including a corrupted APK ZIP archive with invalid compression and encryption flags that confound standard static analysis tools reliant on Java ZIP header validations.

Despite this malformation, the APK executes seamlessly on standard Android devices. The core payload, hidden within a JSON file that’s dynamically dropped and deleted post-loading, includes an updated keylogger variant.

Upon installation, Anatsa prompts for accessibility permissions, which, if granted, auto-enable critical manifest permissions like SYSTEM_ALERT_WINDOW, READ_SMS, RECEIVE_SMS, and USE_FULL_SCREEN_INTENT.

Communications with C2 servers are encrypted via a simple single-byte XOR key (decimal 66), transmitting configuration data in JSON format that includes domain lists, version details for injects and keyloggers, and command sets.

The malware exfiltrates credentials by overlaying fake login pages tailored to detected banking apps, downloaded from C2 servers.

Analysis reveals that while Anatsa targets 831 apps for keylogging, many injection pages remain incomplete or under development, such as a placeholder maintenance message for the Robinhood app.

Package names and installation hashes are frequently rotated to avoid pattern-based detection across infected systems. Many decoy apps have surpassed 50,000 downloads individually, amplifying the threat’s reach.

Beyond Anatsa, ThreatLabz reported 77 malicious apps from diverse families to Google, amassing over 19 million installs collectively.

Trends indicate a surge in adware alongside trojans like Joker, Harly, and Anatsa, while families such as Facestealer and Coper decline.

Common decoy categories include productivity tools, file managers, and entertainment apps, exploited for malware distribution.

Anatsa’s anti-analysis refinements and expanded targeting underscore the escalating risks to Android users, emphasizing the need for vigilant permission reviews and alignment with app functionality.

Indicator Of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!