Researchers have observed a significant increase in attempts to spread the Anatsa Banking Trojan under the veil of legitimate-looking PDF and QR code reader apps on the Google Play store.
Also known as TeaBot, the malware employs dropper applications that appear harmless to users, deceiving them into unwittingly installing the malicious payload, said researchers at cybersecurity firm Zscaler.
Once installed, Anatsa extracts sensitive banking credentials and financial information from various global financial applications. It achieves this through overlay and accessibility techniques, allowing it to discreetly intercept and collect data.
Distribution and Impact of Anatsa Banking Trojan
Two malicious payloads linked to Anatsa were found in the Google Play store, distributed by threat actors. The campaign impersonated PDF reader and QR code reader applications to attract numerous installations. The high number of installations, which had surpassed 70,000 at the time of analysis, further convinced victims of the applications’ legitimacy.
Anatsa employs remote payloads retrieved from Command and Control (C&C) servers to perform additional malicious activities. The dropper application contains encoded links to remote servers, from which the subsequent stage payload is downloaded. Along with the payload, the malware fetches a configuration file from the remote server to execute the next stage of the attack.
Anatsa Infection Steps
The Anatsa banking trojan works by employing a dropper application and executing a payload to launch its malicious activities.
Dropper Application:
- The fake QR code application downloads and loads the DEX file.
- The application uses reflection to invoke code from the loaded DEX file.
- Configuration for loading the DEX file is downloaded from the C&C server.
Payload Execution:
- After downloading the next stage payload, Anatsa performs checks on the device environment to detect analysis environments and malware sandboxes.
- Upon successful verification, it downloads the third and final stage payload from the remote server.
Malicious Activities:
- The malware injects uncompressed raw manifest data into the APK, deliberately corrupting the compression parameters in the manifest file to hinder analysis.
- Upon execution, the malware decodes all encoded strings, including those for C&C communication.
- It connects with the C&C server to register the infected device and retrieve a list of targeted applications for code injections.
Data Theft:
- After receiving a list of package names for financial applications, Anatsa scans the device for these applications.
- If a targeted application is found, Anatsa communicates this to the C&C server.
- The C&C server then supplies a counterfeit login page for the banking operation.
- This fake login page, displayed within a JavaScript Interface (JSI) enabled web view, tricks users into entering their banking credentials, which are then transmitted back to the C&C server.
The Anatsa banking trojan is increasing in prevalence and infiltrates the Google Play store disguised as benign applications. Using advanced techniques such as overlay and accessibility, it stealthily exfiltrates sensitive banking credentials and financial data. By injecting malicious payloads and employing deceptive login pages, Anatsa poses a significant threat to mobile banking security.
Best Practices to Stop the Anatsa Trojan
To protect against such threats, Cyble’s Research and Intelligence Labs suggests following essential cybersecurity best practices:
- Install Software from Official Sources: Only download software from official app stores like the Google Play Store or the iOS App Store.
- Use Reputable Security Software: Ensure devices, including PCs, laptops, and mobile devices, use reputable antivirus and internet security software.
- Strong Passwords and Multi-Factor Authentication: Use strong passwords and enable multi-factor authentication whenever possible.
- Be Cautious with Links: Be careful when opening links received via SMS or emails.
- Enable Google Play Protect: Always have Google Play Protect enabled on Android devices.
- Monitor App Permissions: Be wary of permissions granted to applications.
- Regular Updates: Keep devices, operating systems, and applications up to date.
By adhering to these practices, users can establish a robust first line of defense against malware and other cyber threats, Cyble researchers said.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
