Pierluigi Paganini February 19, 2024

The Android banking trojan Anatsa resurged expanding its operation to new countries, including Slovakia, Slovenia, and Czechia.

In November 2023, researchers from ThreatFabric observed a resurgence of the Anatsa banking Trojan, aka TeaBot and Toddler. Between November and February, the experts observed five distinct waves of attacks, each focusing on different regions.

The malware previously focused its activities on the UK, Germany, and Spain, but the latest campaigns targeted Slovakia, Slovenia, and Czechia, which suggests a shift in its operational strategy.

The researchers classified Anatsa’s activity as “targeted,” threat actors were observed focusing on 3-5 regions at a time. According to ThreatFabric, the dropper applications were uploaded on Google Play in the targeted regions. The attackers noticed that the applications often reached the Top-3 in the “Top New Free” category, in an attempt to trick users into believing that the application was legitimate and downloaded by a large number of users.

“Throughout this campaign, Anatsa’s Modus Operandi has evolved, displaying more sophisticated tactics such as AccessibilityService abuse, a multi-staged infection process, and the ability to bypass Android 13’s restricted settings.” reads the report published by ThreatFabric.

The researchers pointed out that some of the droppers successfully exploited the accessibility service and bypassed Google Play’s enhanced detection and protection mechanisms.

The avoid detection, the droppers adopted a multi-staged methodology, dynamically retrieving configuration and malicious executable files from their C2 server.

“All droppers in this campaign have demonstrated the capability to bypass the restricted settings for accessibility service in Android 13.” continues the report.

The experts observed five droppers in the latest campaign with over 100,000 total installations.  

Anatsa was first detected by the Italian cybersecurity firm Cleafy in March 2021 while it was targeting banks in Spain, Germany, Italy, Belgium, and the Netherlands.

TeaBot supports common features of Android banking Trojan and like other similar malware families it abuses Accessibility Services. Below is a list of features implemented by the malware:

• Ability to perform Overlay Attacks against multiple bank applications to steal login
  credentials and credit card information
• Ability to send / intercept / hide SMS messages
• Enabling keylogging functionalities
• Ability to steal Google Authentication codes
• Ability to obtain full remote control of an Android device (via Accessibility Services and realtime screen-sharing)

The Anatsa banking Trojan allows operators to take over the infected devices and execute actions on a victim’s behalf.

“Effective detection and monitoring of malicious applications, along with observing unusual customer account behaviour, are crucial for identifying and investigating potential fraud cases linked to device-takeover mobile malware like Anatsa.” concludes the report.

Below a statement sent by Google spokesperson to Security Affairs:

“All of the apps identified in the report have been removed from Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Android banking malware)