Anatsa (TeaBot) is an evolving Android banking trojan that now targets over 831 financial and cryptocurrency applications worldwide and uses enhanced anti-analysis and evasion techniques. The malware streamlines payload delivery, uses runtime DES decryption and device checks, and leverages Google Play decoy apps to distribute updates from C2 servers. #Anatsa #TeaBot
Keypoints
- Anatsa first appeared in 2020 and is capable of credential theft, keylogging, and enabling fraudulent transactions.
- The latest Anatsa variant expands targeting to more than 831 financial institutions and over 150 new banking and cryptocurrency applications, including regions like Germany and South Korea.
- The distribution uses decoy applications on the Google Play Store that download the malicious payload as an update from C2 servers to evade detection.
- Developers replaced dynamic remote DEX loading with direct payload installation and added runtime DES string decryption to hinder static analysis.
- Anatsa implements anti-analysis checks (emulation checks, device model verification) and alters package names and installation hashes periodically to avoid detection.
- The malware hides its DEX payload in malformed or corrupted APK/ZIP archives and within JSON files that are dropped and deleted at runtime.
- Anatsa requests accessibility and other high-risk permissions, uses fake banking login pages downloaded from C2 for credential theft, and encrypts C2 communication with a single-byte XOR key (0x42 / 66 decimal).
MITRE Techniques
- [T1059] Command and Scripting Interpreter β Anatsa downloads and executes a DEX payload and dynamically loads code at runtime to perform malicious actions. Quote: βthe installer proceeds to download Anatsa as an update.β
- [T1620] Reflective Code Loading β The DEX payload is concealed within a JSON file, dynamically dropped at runtime and promptly deleted after being loaded. Quote: βThe DEX payload is concealed within a JSON file, which is dynamically dropped at runtime and promptly deleted after being loaded.β
- [T1204] User Execution β Distribution via decoy apps on the Google Play Store that appear benign and rely on users to install them. Quote: βa decoy application in the official Google Play Store that appears benign upon installation.β
- [T1531] Account Access Removal/Modification β Requests and abuses Accessibility permissions to automatically enable manifest permissions and perform actions on behalf of the user. Quote: βOnce installed, Anatsa requests accessibility permissionsβ¦ the malware automatically enables all the permissions specified in its manifest file.β
- [T1497] Virtualization/Sandbox Evasion β Performs emulation checks and verifies device models to bypass dynamic analysis environments. Quote: βAnatsa has enhanced its evasion strategies by performing emulation checks and verifying device models to bypass dynamic analysis environments.β
- [T1027] Obfuscated Files or Information β Uses malformed/corrupted ZIP/APK archives and APK ZIP obfuscator to hide DEX files and evade static analysis. Quote: βThe APK uses a corrupted archive to hide a DEX fileβ¦ invalid compression and encryption flags, making it hard for static analysis tools to detect.β
- [T1041] Exfiltration Over C2 Channel β Exfiltrates credentials and retrieves fake banking pages from C2 servers; C2 communications are XOR-encrypted. Quote: βAnatsa connects to the server to request specific commands and encrypts C2 communication using a single byte XOR key (66 in decimal).β
Indicators of Compromise
- [Package Name] Example malicious Play Store package names β com.synexa.fileops.fileedge_organizerviewer, com.applicationsresearchgroup.docxploremanagerviewer
- [MD5 Hash] Installer/app hashes β 5f85261cf55ed10e73c9b68128092e70, a4973b21e77726a88aca1b57af70cc0a (and other hashes)
- [C2 Domains/IPs] Command-and-control endpoints used to download payloads and injection pages β hxxps://saurkanot[.]com/policy.html, hxxp://185[.]215[.]113[.]108:85/api/ (also 193[.]24[.]123[.]18:85 and 162[.]252[.]173[.]37:85)
- [File/Resource] Embedded payload container and delivery methods β DEX payload concealed in JSON files and malformed APK/ZIP archives (invalid compression/encryption flags)
- [Installation Artifacts] High-risk permissions requested and automated enabling β SYSTEM_ALERT_WINDOW, READ_SMS, RECEIVE_SMS, USE_FULL_SCREEN_INTENT requested by malicious apps