Threat Research

Technical Analysis of Anatsa Campaigns: An Android Banking Malware Active in the Google Play Store

ZScaler

Anatsa (TeaBot) Android banking malware campaigns in Google Play store use decoy apps to drop a multi-stage payload that exfiltrates banking credentials, employing overlays and accessibility tricks to capture data. The report covers the attack chain, anti-analysis techniques, and observed trends across targeted banking apps and regions.
#Anatsa #TeaBot

Keypoints

  • Threat actors use decoy applications such as PDF readers and QR code readers as loaders to deploy the Anatsa Android malware through the Google Play Store.
  • Many malicious Android apps masquerade as useful tools (e.g., file managers, editors, translators) to blend in and attract installs.
  • Anatsa’s second-stage payload is disguised as a legitimate application update to trick victims.
  • The actors employ anti-analysis techniques, including checks for virtual environments/emulators and corrupting APK ZIP headers to hinder static analysis.
  • The dropper downloads the next-stage payload and a configuration file from a C2 server, then loads a DEX file via reflection.
  • Final payload injections target financial apps and present fake login pages via a JS-enabled webview to steal credentials.
  • Google Play trends show tools as the most exploited category; Anatsa, Joker, Adware, Facestealer, and Coper are among observed families.

MITRE Techniques

  • [T1624] Event Triggered Execution – The dropper uses encoded links to remote servers and dynamically loads a DEX file via reflection to execute code. Quote: “The application utilizes reflection to invoke code from a loaded DEX file.”
  • [T1444] Masquerade as Legitimate Application – Dropper applications that appear benign to users, deceiving them into unwittingly installing the malicious payload. Quote: “dropper applications that appear benign to users, deceiving them into unwittingly installing the malicious payload.”
  • [T1661] Evasion using versions – The malware performs environment checks to detect analysis environments and malware sandboxes. Quote: “After the next stage payload is downloaded, Anatsa performs a series of checks for the device environment and device type. This is likely designed to detect analysis environments and malware sandboxes.”
  • [T1406] Encrypted payload – The final payload is decrypted from an embedded key. Quote: “the payload decrypts the DEX file using a static key embedded within the code.”
  • [T1430] Data from Local System – The malware scans the device to determine if targeted banking apps are installed. Quote: “The malware scans the victim’s device to check if any of these targeted applications are installed.”
  • [T1516] Input Injection – The fake login page is loaded in a JS-enabled webview to steal credentials. Quote: “The fake login page is loaded within a JavaScript Interface (JSI) enabled webview, which is designed to deceive the user into providing their banking credentials.”

Indicators of Compromise

  • [Package Name] com.appandutilitytools.fileqrutility – MD5 718659f464c3231dc0eeeacfdcbdfa74 – Network / C2: https[:]//menusand.com/pdffile, https[:]//menusand.com/hanihani
  • [Package Name] N/A(hanihani) – MD5 36089c60ce1bfc975c3b561abb67f0de – Network / C2: https[:]//menusand.com/86.apk
  • [Package Name] com.nfctnofxy.tmzcwkcjd – MD5 cb02f9e5a5671e3f13bc26d3017b8632 – Network / C2: http[:]//185.215.113.31:85/api, http[:]//91.215.85.55:85/api
  • [Package Name] com.ultimatefilesviewer.filemanagerwithpdfsupport – MD5 7c6f2ccd081b383c2a4924eb4c793d71 – Network / C2: https[:]//becorist.com/juranfile, https[:]//becorist.com/trani

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-campaigns-android-banking-malware-active-google

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint