Researchers have observed a significant increase in attempts to spread the Anatsa Banking Trojan under the veil of legitimate-looking PDF and QR code reader apps on the Google Play store. Also known as TeaBot, the malware employs dropper applications that appear harmless to users, deceiving them into unwittingly installing the malicious payload, said researchers at cybersecurity firm Zscaler. Once installed, Anatsa extracts sensitive banking credentials and financial information from various global financial applications. It achieves this through overlay and accessibility techniques, allowing it to discreetly intercept and collect data.

Distribution and Impact of Anatsa Banking Trojan

Two malicious payloads linked to Anatsa were found in the Google Play store, distributed by threat actors. The campaign impersonated PDF reader and QR code reader applications to attract numerous installations. The high number of installations, which had surpassed 70,000 at the time of analysis, further convinced victims of the applications' legitimacy. Anatsa employs remote payloads retrieved from Command and Control (C&C) servers to perform additional malicious activities. The dropper application contains encoded links to remote servers, from which the subsequent stage payload is downloaded. Along with the payload, the malware fetches a configuration file from the remote server to execute the next stage of the attack.

Anatsa Infection Steps

The Anatsa banking trojan works by employing a dropper application and executing a payload to launch its malicious activities. Dropper Application:

• The fake QR code application downloads and loads the DEX file.
• The application uses reflection to invoke code from the loaded DEX file.
• Configuration for loading the DEX file is downloaded from the C&C server.

Payload Execution:

• After downloading the next stage payload, Anatsa performs checks on the device environment to detect analysis environments and malware sandboxes.
• Upon successful verification, it downloads the third and final stage payload from the remote server.

Malicious Activities:

• The malware injects uncompressed raw manifest data into the APK, deliberately corrupting the compression parameters in the manifest file to hinder analysis.
• Upon execution, the malware decodes all encoded strings, including those for C&C communication.
• It connects with the C&C server to register the infected device and retrieve a list of targeted applications for code injections.

Data Theft:

• After receiving a list of package names for financial applications, Anatsa scans the device for these applications.
• If a targeted application is found, Anatsa communicates this to the C&C server.
• The C&C server then supplies a counterfeit login page for the banking operation.
• This fake login page, displayed within a JavaScript Interface (JSI) enabled web view, tricks users into entering their banking credentials, which are then transmitted back to the C&C server.

[caption id="attachment_71735" align="aligncenter" width="1038"] Anatsa Banking Trojan Attack Chain (Source: Zscaler)[/caption] The Anatsa banking trojan is increasing in prevalence and infiltrates the Google Play store disguised as benign applications. Using advanced techniques such as overlay and accessibility, it stealthily exfiltrates sensitive banking credentials and financial data. By injecting malicious payloads and employing deceptive login pages, Anatsa poses a significant threat to mobile banking security.

Best Practices to Stop the Anatsa Trojan

To protect against such threats, Cyble's Research and Intelligence Labs suggests following essential cybersecurity best practices:

• Install Software from Official Sources: Only download software from official app stores like the Google Play Store or the iOS App Store.
• Use Reputable Security Software: Ensure devices, including PCs, laptops, and mobile devices, use reputable antivirus and internet security software.
• Strong Passwords and Multi-Factor Authentication: Use strong passwords and enable multi-factor authentication whenever possible.
• Be Cautious with Links: Be careful when opening links received via SMS or emails.
• Enable Google Play Protect: Always have Google Play Protect enabled on Android devices.
• Monitor App Permissions: Be wary of permissions granted to applications.
• Regular Updates: Keep devices, operating systems, and applications up to date.

By adhering to these practices, users can establish a robust first line of defense against malware and other cyber threats, Cyble researchers said. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The Antidot Android banking trojan is a new threat on the surface web, disguising itself as a Google Play update, targeting Android users worldwide. The android banking trojan is a stealthy malware strategically designed to infiltrate devices, harvest sensitive information, and wreak havoc across diverse language-speaking regions. Revealed by cybersecurity experts at Cyble Research and Intelligence Labs (CRIL), the Antidot banking trojan represents a sophisticated evolution in mobile malware. Unlike its predecessors, Antidot employs a range of malicious tactics, including overlay attacks, keylogging, and VNC features, to compromise devices and extract valuable data.

Decoding the Antidot Android Banking Trojan Campaign

[caption id="attachment_68993" align="alignnone" width="1447"] Source: Cyble[/caption] At its core, Antidot masquerades as a legitimate Google Play update application, luring unsuspecting users into its trap. Upon installation, it presents counterfeit Google Play update pages meticulously crafted in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English. This strategic approach indicates a broad spectrum of targets, spanning multiple regions and demographics. [caption id="attachment_68994" align="alignnone" width="1536"] Source: Cyble[/caption] Behind its deceptive façade, Antidot operates with alarming sophistication. Leveraging overlay attacks as its primary modus operandi, the Trojan seamlessly overlays phishing pages onto legitimate applications, capturing sensitive credentials without the user's knowledge.  Additionally, Antidot integrates keylogging functionality, surreptitiously recording keystrokes to further enhance its data harvesting capabilities.

Sophisticated Communication and Control (C&C) Server

[caption id="attachment_68996" align="alignnone" width="1232"] Source: Cyble[/caption] Antidot maintains a stealthy line of communication with its Command and Control (C&C) server, facilitating real-time interaction for executing commands and transmitting stolen data. Through WebSocket communication, the malware establishes bidirectional connections, enabling seamless coordination between the infected devices and the malicious actors behind the scenes. [caption id="attachment_68998" align="alignnone" width="1071"] Source: Cyble[/caption] One of Antidot's most insidious features is its implementation of VNC (Virtual Network Computing), enabling remote control of infected devices. By leveraging the MediaProjection feature, the Trojan captures and transmits display content to the C&C server, allowing attackers to remotely execute commands and manipulate device functions. [caption id="attachment_69000" align="alignnone" width="1483"] Source: Cyble[/caption] To combat the growing threat posed by Antidot and similar Android banking trojans, cybersecurity experts from Cyble recommend adhering to essential best practices. These include downloading software from official app stores like Google Play or the iOS App Store.  Users can also utilize reputable antivirus and internet security software on all connected devices. Other precautionary methods include enforcing strong passwords and enabling multi-factor authentication whenever possible. Exercise caution when clicking on links received via SMS or email. Keep devices, operating systems, and applications up to date to mitigate potential vulnerabilities. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

For the most popular operating system in the world—which is Android and it isn’t even a contest—there’s a sneaky cyberthreat that can empty out a person’s bank accounts to fill the illicit coffers of cybercriminals.

These are “Android banking trojans,” and, according to our 2024 ThreatDown State of Malware report, Malwarebytes detected an astonishing 88,500 of them last year alone.

While the 2024 ThreatDown State of Malware report focuses heavily on the corporate security landscape today, make no mistake: Android banking trojans pose a serious threat to everyday users. They are well-disguised, hard to detect in regular use, and are a favorite hacking tool for cybercriminals who want to automate the theft of online funds for themselves.

What are Android banking trojans?

The idea behind Android banking trojans—and all cyber trojans—is simple: Much like the fabled “Trojan Horse” which, the story goes, carried a violent surprise for the city of Troy, Android banking trojans can be found on the internet disguised as benign, legitimate mobile apps that, once installed on a device, reveal more sinister intentions.  

By masquerading as everyday mobile apps for things like QR code readers, fitness trackers, and productivity or photography tools, Android banking trojans intercept a person’s online interest in one app, and instead deliver a malicious tool that cybercriminals can abuse later on.

But modern devices aren’t so faulty that an errant mobile app download can lead to full device control or the complete revelation of all your private details, like your email, social media, and banking logins. Instead, what makes Android banking trojans so tricky is that, once installed, they present legitimate-looking permissions screens that ask users to grant the new app all sorts of access to their device, under the guise of improving functionality.

Take the SharkBot banking trojan, which Malwarebytes detects and stops. Last year, Malwarebytes found this Android banking trojan hiding itself as a file recovery tool called “RecoverFiles.” Once installed on a device, “RecoverFiles” asked for access to “photos, videos, music, and audio on this device,” along with extra permissions to access files, map and talk to other apps, and even send payments via Google Play.

These are just the sorts of permissions that any piece of malware needs to dig into your personally identifiable information and your separate apps to steal your usernames, passwords, and other important information that should be kept private and secure.

Still, the tricks behind “RecoverFiles” aren’t yet over.

Not only is the app a clever wrapper for an Android banking trojan, it could also be considered a hidden wrapper. Once installed on a device, the “RecoverFiles” app icon itself does not show up on a device’s home screen. This stealth maneuver is similar to the features of stalkerware-type apps, which can be used to non-consensually spy on another person’s physical and digital activity.

But in the world of Android banking trojan development, cybercrminals have devised far more devious schemes than simple camouflage.

Slipping under the radar

The problem with the Ancient Greeks’ Trojan Horse strategy is that it could only work once—if you don’t sack Troy the first time, you better believe Troy is going to implement some strict security controls on all future big horse gifts.

The makers of Android banking trojans have to overcome similar (and far more advanced) security measures from Google. As the Google Play store has become the go-to marketplace for Android apps, cybercriminals try to place their malicious apps on Google Play to catch the highest number of victims. But Google Play’s security measures frequently detect malware and prevent it from being listed.

So, what’s a cybercriminal to do?

In these instances, cybercriminals make an application that is seemingly benign, but, once installed on a device, executes a line of code that actually downloads malware from somewhere else on the internet. This is how cybercriminals recently snuck their malware onto Google Play and potentially infected more than 100,000 users with the Anatsa banking trojan.

What was most concerning in this attack was that the malicious apps that made it onto the Google Play store reportedly worked for their intended purposes—the PDF reader read PDFs, the file manager managed files. But hidden within the apps’ coding, users were actually downloading a set of instructions that directed their devices to install malware.

These malicious packages are sometimes called “malware droppers” as the apps “drop” malware onto a device at a later time.  

What does it all mean for me?

There’s a lot of technical machinery at work inside any Android banking trojan that is put in place to accomplish a rather simple end goal, which is stealing your money.

All the camouflage, subterfuge, and hidden code execution is part of a longer attack chain in which Android banking trojans steal your passwords and personally identifiable information, and then use that information to take your money.

As we wrote in the 2024 ThreatDown State of Malware report:

“Once it has accessibility permissions, the malware initializes its Automated TransferSystem (ATS) framework, a complex set of scripts and commands designed to perform automated banking transactions without user intervention. The ATS framework uses the harvested credentials to initiate unauthorized money transfers to accounts held by the attacker. This mimics real user behavior to bypass fraud detection systems.”

Staying safe from Android banking trojans

Protecting yourself from Android banking trojans is not as simple as, say, spotting grammatical mistakes in a phishing email or refusing to click any links sent in text messages from unknown numbers. But just because Android banking trojans are harder to detect by eye does not mean that they’re impossible to stop.

Malwarebytes Premium provides real-time protection to detect and stop Android banking trojans that are accidentally installed on your devices. It doesn’t matter if the banking trojan is simply a malicious app in a convenient package, or if the banking trojan is downloaded through a “malware dropper”—Malwarebytes Premium provides 24/7 cybersecurity coverage and stops dangerous attacks before they can be carried out.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.