Over 90 malicious Android apps with a cumulative 5.5 million installs have been discovered on Google Play. Among these, the Anatsa banking trojan has seen a notable resurgence.

Anatsa, also known as "Teabot," is a sophisticated banking trojan targeting more than 650 financial applications across Europe, the United States, the United Kingdom, and Asia. Its primary objective is to steal e-banking credentials to facilitate fraudulent transactions.

In February 2024, cybersecurity firm Threat Fabric reported that Anatsa had infected at least 150,000 devices through various decoy apps categorized as productivity software since late the previous year. This trend has continued, with Zscaler identifying two new decoy apps-'PDF Reader & File Manager' and 'QR Reader & File Manager'-on Google Play, which had collectively amassed 70,000 installations before being removed.

These findings underscore the ongoing challenges in securing app distribution platforms against sophisticated malware.

Multi-Stage Payload and Evasion Tactics

Anatsa's ability to evade detection is attributed to its multi-stage payload loading mechanism, which involves four distinct steps. Initially, the dropper app retrieves configuration data and essential strings from a command-and-control (C2) server. Next, a DEX file containing the malicious dropper code is downloaded and activated on the device. Following this, a configuration file with the Anatsa payload URL is fetched. Finally, the DEX file downloads and installs the malware payload (APK), completing the infection process.

In addition to its complex payload delivery, Anatsa performs rigorous anti-analysis checks to ensure it is not executed within sandbox or emulated environments. Once operational, the trojan uploads the bot configuration and app scan results to its C2 server. It then downloads injections tailored to the victim's location and profile, facilitating the theft of sensitive information and enabling on-device fraud.

Broader Threat Landscape on Google Play

Zscaler's report highlights a broader issue within the Google Play ecosystem, revealing the presence of over 90 malicious applications installed 5.5 million times over the past few months. These apps impersonate legitimate tools across various categories, including personalization, photography, productivity, and health & fitness.

The five prominent malware families identified in these malicious apps are Joker, Facestealer, Anatsa, Coper, and various adware strains. While Anatsa and Coper represent a smaller fraction-accounting for 3% of the total malicious downloads-they are notably more dangerous due to their capability to conduct on-device fraud and steal sensitive data.

Cybersecurity experts advise users to exercise caution when installing new apps from Google Play. Reviewing requested permissions and avoiding those associated with high-risk activities, such as Accessibility Service, SMS, and contact list access, can mitigate the risk of malware infections.

The researchers did not disclose the names of the 90+ malicious apps nor confirm if they had been reported to Google for takedown. However, the two Anatsa dropper apps identified by Zscaler have been removed from the Play Store.

The resurgence of the Anatsa banking trojan and the widespread presence of other malware families on Google Play underscore the persistent security challenges in app distribution platforms. As threat actors continue to devise sophisticated evasion tactics, both users and platform operators must remain vigilant. Users are encouraged to scrutinize app permissions and stay informed about potential threats to protect their devices and personal information from malicious actors.