Anatsa Android Trojan Expands Its Global Reach and Targets 831 Financial Apps

The Android ecosystem continues to face persistent threats from sophisticated banking trojans. The Zscaler ThreatLabz team, which continually monitors malicious applications distributed via the Google Play Store, has revealed new details about the evolution of Anatsa—also known as TeaBot.

According to the researchers, “Anatsa malware first emerged in 2020 as an Android banking trojan capable of credential theft, keylogging, and enabling fraudulent transactions.”

While earlier Anatsa campaigns targeted over 650 financial institutions across Europe, the US, and the UK, the latest operations have broadened significantly. ThreatLabz found that “the latest variant of Anatsa targets over 831 financial institutions worldwide, adding new countries like Germany and South Korea, as well as cryptocurrency platforms.”

This expansion shows how cybercriminals are adapting their malware to exploit not only traditional banking but also emerging fintech and crypto markets.

The attack begins with decoy apps uploaded to the official Google Play Store, often disguised as document readers or file managers. These apps appear benign during installation but later fetch malicious payloads from a command-and-control (C2) server.

ThreatLabz explains: “Anatsa uses a dropper technique, where the threat actors use a decoy application in the official Google Play Store that appears benign upon installation. Once installed, Anatsa silently downloads a malicious payload disguised as an update from its command-and-control (C2) server.”

Many of these decoy apps are highly popular—“individually exceeding 50,000 downloads”—demonstrating the effectiveness of this distribution method.

The malware has adopted multiple new anti-analysis techniques. Researchers note: “The parent installer now decrypts each string at runtime using a dynamically generated Data Encryption Standard (DES) key, making it more resistant to static analysis tools.”

Key updates include:

• Runtime decryption of strings with DES.
• Device-specific payload restrictions to evade analysis environments.
• Obfuscation using malformed APK archives, which bypass static detection mechanisms.
• Dynamic payload delivery, replacing older methods with direct installation of the Anatsa payload.

Once installed, the malware requests extensive permissions, such as READ_SMS, SYSTEM_ALERT_WINDOW, and USE_FULL_SCREEN_INTENT, which it abuses for credential theft and persistence.

The core objective of Anatsa remains credential harvesting. By leveraging accessibility services, it displays fake login pages tailored to the banking or financial apps on a victim’s device.

ThreatLabz highlights: “Anatsa primarily exfiltrates credentials by displaying fake banking login pages, which are downloaded from its C2 server. These pages are tailored based on the financial institution applications detected on the user’s device.”

Even popular apps such as Robinhood have been spoofed, with fake “maintenance” screens used to trick victims into divulging sensitive information.

Anatsa isn’t the only malware leveraging Google Play. Alongside it, ThreatLabz identified “77 malicious apps from various malware families, collectively accounting for over 19 million installs.”

The researchers observed a surge in adware, Joker, Harly, and banking trojans while noting a decline in families such as Facestealer and Coper.

For users, the advice remains simple but critical—verify app permissions carefully and install only from trusted developers. For enterprises, proactive detection and monitoring are essential to mitigate threats that bypass traditional app store defenses.

Related Posts:

• Android Banking Trojan “Anatsa” Lurking in Google Play Store
• Anatsa Resurfaces: Banking Trojan Targets North America via Google Play
• A Trojan in Disguise: New Python Package on PyPI Hides a Multi-Stage Malware Operation
• AI Powers a Phishing Frenzy – Zscaler Report Warns of Unprecedented Threat Wave
• StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader