banking applications

Security researchers at ThreatLabz have identified a malware campaign operating through the Google Play Store that disseminated the Anatsa banking trojan, also known as TeaBot. The malicious app, disguised as a file manager and document reader, was downloaded over 220,000 times before its removal. The app initiated a multi-stage payload retrieval process after users granted accessibility permissions, allowing it to download the Anatsa payload and turn infected devices into tools for financial fraud. Anatsa uses overlay attacks and credential harvesting techniques, displaying fake login screens for banking applications to capture user credentials. It targets financial institutions across North America, Europe, and Asia, particularly mobile banking platforms. The malware employs evasion techniques, including delayed activation and encrypted communication, and maintains persistence by checking for accessibility service permissions. Initial data indicates concentrated infections in regions with high mobile banking usage, and the app's multilingual interface suggests a global targeting strategy. Google removed the app within 48 hours of the disclosure but it had been present for approximately eight weeks before detection. Google has initiated a mass uninstallation campaign for affected devices, while users are advised to perform factory resets, monitor financial accounts, enable Google Play Protect, and avoid granting permissions to unfamiliar apps. Investigations are ongoing to identify the threat actors, with links to Eastern European cybercrime syndicates suggested.