Anatsa banking trojan Archives

AppWizard

March 6, 2025

Android App With 220,000+ Downloads From Google Play Installs Banking Trojan

A sophisticated Android banking trojan campaign, known as Anatsa or TeaBot, has been downloaded over 220,000 times from the Google Play Store before its removal. The malware targets global financial institutions using a multi-stage infection process, deploying fake login overlays and exploiting accessibility services to steal user credentials and perform unauthorized transactions. The malicious app disguised itself as a "File Manager and Document Reader" and acted as a dropper, retrieving additional payloads from remote servers. It uses reflection-based code execution to evade detection and conducts anti-emulation checks to confirm it is on a genuine device. Anatsa requests critical permissions, including accessibility services and SMS access, to log keystrokes and bypass two-factor authentication. The campaign primarily targets users in Europe, especially Slovakia, Slovenia, and Czechia, but has the potential to expand to markets like the U.S., South Korea, and Singapore. It targets over 600 banking and cryptocurrency applications, enabling on-device fraud through automated transaction systems. Users are advised to avoid sideloading apps, audit app permissions, and monitor for updates from official stores. Google has removed the identified dropper, but similar threats persist. Indicators of compromise include specific network URLs and an MD5 hash for a sample.

AppWizard

March 6, 2025

Malicious Android App on Google Play Compromises 220,000+ Devices

Security researchers at ThreatLabz have identified a malware campaign operating through the Google Play Store that disseminated the Anatsa banking trojan, also known as TeaBot. The malicious app, disguised as a file manager and document reader, was downloaded over 220,000 times before its removal. The app initiated a multi-stage payload retrieval process after users granted accessibility permissions, allowing it to download the Anatsa payload and turn infected devices into tools for financial fraud. Anatsa uses overlay attacks and credential harvesting techniques, displaying fake login screens for banking applications to capture user credentials. It targets financial institutions across North America, Europe, and Asia, particularly mobile banking platforms. The malware employs evasion techniques, including delayed activation and encrypted communication, and maintains persistence by checking for accessibility service permissions. Initial data indicates concentrated infections in regions with high mobile banking usage, and the app's multilingual interface suggests a global targeting strategy. Google removed the app within 48 hours of the disclosure but it had been present for approximately eight weeks before detection. Google has initiated a mass uninstallation campaign for affected devices, while users are advised to perform factory resets, monitor financial accounts, enable Google Play Protect, and avoid granting permissions to unfamiliar apps. Investigations are ongoing to identify the threat actors, with links to Eastern European cybercrime syndicates suggested.

AppWizard

July 5, 2024

New Google Play Store Warning As Dangerous Threat Returns

Google's Play Store is facing a reappearance of dangerous malware known as Anatsa, a banking trojan that steals financial information. Despite previous assurances from Google about removing malicious apps, Anatsa has resurfaced disguised as a QR reader and file manager. Users are advised to stick to official app stores, check developers and reviews, avoid unnecessary permissions, avoid clicking on links for app downloads, and be cautious with installing apps linked to popular ones.

AppWizard

June 4, 2024

THESE Android apps are stealing money from your bank account

Ansta virus is attacking Android users' bank accounts through dangerous apps available on Google's Play Store.

AppWizard

June 3, 2024

Anatsa banking Trojan plagues Android apps

Anatsa is a sophisticated threat to Android apps, particularly e-banking security. It has breached Google Play, resulting in at least 150,000 infiltrations via deceptive apps. Anatsa uses persistent evasion strategies, including a four-stage payload uploading process, to remain undetected while harvesting information. Users can protect themselves by downloading apps from trusted sources, maintaining regular device software updates, and utilizing dependable security software.

AppWizard

May 30, 2024

Nearly 100 malicious apps with 5.5 million installs spreading malware on Play Store — protect yourself now

- Cybersecurity experts have identified over 90 malicious apps on the Google Play Store, downloaded 5.5 million times. - Two particularly dangerous apps, PDF Reader & File Manager by TSARKA Watchfaces and QR Reader & File Manager by risovanul, have been highlighted and should be immediately uninstalled. - These apps were used to distribute the Anatsa banking trojan, targeting over 650 banking applications worldwide. - To stay safe from malicious apps, users should be selective about the apps they install, consider reputable developers, opt for paid apps, scrutinize ratings and reviews, enable Google Play Protect, and consider using Android antivirus apps.

AppWizard

May 29, 2024

Android Security Experts Raise The Alarm Against Surge In Anatsa Banking Trojan As 90 Malicious Apps Installed 5.5 Million Times

Anatsa is a banking trojan that has been found in malicious Android apps downloaded from Google Play 5.5 million times.

AppWizard

May 29, 2024

Millions of android users at risks due to malicious apps discovered on Playstore

The Google Play store was found to have over 90 malicious applications, including the Anatsa banking Trojan, which has targeted financial apps on users' devices.

AppWizard

May 28, 2024

Over 90 malicious Android apps with 5.5M installs found on Google Play

Over 90 malicious Android apps, including the Anatsa banking trojan, were discovered on Google Play, with a collective download count exceeding 5.5 million. Anatsa preys on financial applications across Europe, the Americas, and Asia, stealing e-banking credentials for unauthorized transactions. The trojan was found in two seemingly benign apps, 'PDF Reader & File Manager' and 'QR Reader & File Manager,' downloaded 70,000 times. Anatsa uses a sophisticated multi-stage payload delivery system to avoid detection and initiates data exchange with a C2 server once active on a device. Other malicious apps on Google Play impersonate utility and lifestyle apps, with Anatsa and Coper being considered especially dangerous for on-device fraud and data theft. Users are advised to be cautious when installing new apps from Google Play and scrutinize permissions requested.