Android app with 220,000 downloads from Google Play installed Banking Trojaner

A sophisticated Android banking -Trojan campaign that uses malicious use of file managers has collected over 220,000 downloads in the Google Play Store before removing.

The malware denotes Anatsa (also known as a tea offer) and aims at global financial institutions through a multi -stage infection process. It provides fake registration overlays and abuses barrier -free services to steal login information and carry out non -authorized transactions.

Anatsa's attack chain

According to the ZSCALER ThreatLabz Post divided into X, which was disguised as a “file manager and document reader”, he acted as a drop, an apparently benign application that calls up and installed additional payloads from remote servers.

The app prompted users to download a fraudulent “update” masking as a necessary add -on during installation. This update, which was hosted in Github Repositories, contained the Anatsa Banking -Trojan.

Anatsa uses reflection-based code execution to dynamically load malicious Dalvik files (Executable) that dodge static analysis tools by only decrypting payloads at the term.

The malware carries out cross-emulation checks in order to recognize sandpit environments and delay malicious activities until it confirms a real device. As soon as it is active, it calls for critical permissions, including:

• Accessibility services: To log key attacks, to intercept SMS messages and to manipulate the screen content.
• SMS access: To avoid the two-factor authentication mechanisms (2FA)

The Trojan then shows communication with command and control (C2)-Insvers, transmits the metadata of devices and receives targeted banking app app profiles.

For each discovered Finanz app (e.g. PayPal, HSBC, Santander), Anatsa injects a fake registration overlay and records login information directly from unsuspecting users.

Anatsa's latest campaign has mainly targeted Slovakia, Slovenia and the Czech Republic in Europe, although its infrastructure supports the expansion to the USA, South Korea and Singapore.

The finish list of the malware comprises over 600 banking and cryptocurrency apps, which enables threat actors to carry out fraud for the device (on-device fraud) by initiating non-authorized transfers via automated transaction systems (ATS).

Reductions

To alleviate risks, users should:

• Avoid the side pollution: Deactivate “Install unknown sources” in device settings.
• Examination app rights: Repoke barrier-free and SMS access for non-essential apps.
• Monitor updates: Legitimate apps update about official stores, not on the left of third-party providers.

The Anatsa campaign underlines persistent gaps in the safety of the App Store, especially with regard to delayed payload attacks.

While Google has removed the identified drop, similar threats remain widespread and often use file managers and supply apps to deprive suspicion.

For end users, vigilance and compliance with basic security hygiene remain critical defenses against the developing mobile threats.

Indicators of compromises (IOCs):

Network:

hxxps://docsresearchgroup[.]com
http://37.235.54[.]59/
http://91.215.85[.]55:85

Example MD5S:

a4973b21e77726a88aca1b57af70cc0a
ed8ea4dc43da437f81bef8d5dc688bdb

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free