A sophisticated Android banking trojan campaign leveraging a malicious file manager application accumulated over 220,000 downloads on the Google Play Store before its removal.
Dubbed Anatsa (also known as TeaBot), the malware targets global financial institutions through a multi-stage infection process. It deploys fake login overlays and abuses accessibility services to steal credentials and execute unauthorized transactions.
Anatsa’s Attack Chain
According to the Zscaler ThreatLabz post shared on X, the malicious app, disguised as a “File Manager and Document Reader,” functioned as a dropper, a seemingly benign application that retrieves and installs additional payloads from remote servers.
The app prompted users to download a fraudulent “update” masquerading as a necessary add-on upon installation. This update, hosted on GitHub repositories, contained the Anatsa banking trojan.
Anatsa employs reflection-based code execution to dynamically load malicious Dalvik Executable (DEX) files, which evade static analysis tools by decrypting payloads only at runtime.
The malware performs anti-emulation checks to detect sandboxed environments, delaying malicious activity until it confirms a genuine device. Once active, it requests critical permissions, including:
- Accessibility Services: To log keystrokes, intercept SMS messages, and manipulate screen content.
- SMS Access: To bypass two-factor authentication (2FA) mechanisms
The trojan then establishes communication with command-and-control (C2) servers, transmitting device metadata and receiving targeted banking app profiles.
For each detected financial app (e.g., PayPal, HSBC, Santander), Anatsa injects a counterfeit login overlay, capturing credentials directly from unsuspecting users.
Anatsa’s latest campaign has primarily targeted users in Europe, including Slovakia, Slovenia, and Czechia, though its infrastructure supports expansion into the U.S., South Korea, and Singapore.
The malware’s target list encompasses over 600 banking and cryptocurrency apps, enabling threat actors to conduct on-device fraud (ODF) by initiating unauthorized transfers via automated transaction systems (ATS).
Mitigations
To mitigate risks, users should:
- Avoid sideloading: Disable “Install from unknown sources” in device settings.
- Audit app permissions: Revoke accessibility and SMS access for non-essential apps.
- Monitor for updates: Legitimate apps update via official stores, not third-party links.
The Anatsa campaign underscores persistent gaps in app store security, particularly regarding delayed payload attacks.
While Google has removed the identified dropper, similar threats remain prevalent, often exploiting file managers and utility apps to evade suspicion.
For end-users, vigilance and adherence to basic security hygiene remain critical defenses against evolving mobile threats.
Indicators of Compromise (IoCs):
Network:
hxxps://docsresearchgroup[.]com
http://37.235.54[.]59/
http://91.215.85[.]55:85
Sample MD5s:
a4973b21e77726a88aca1b57af70cc0a
ed8ea4dc43da437f81bef8d5dc688bdb
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free