Anatsa, a notorious Android banking trojan also known as TeaBot and Toddler, has expanded its reach to include Slovakia, Slovenia, and Czechia in a recent campaign observed in November 2023. This campaign involved five droppers with over 100,000 total installations.
Despite Google Play’s enhanced detection and protection mechanisms, some droppers in the campaign successfully exploited the accessibility service, allowing them to bypass restricted settings in Android 13. Anatsa is typically distributed through seemingly innocent apps on the Google Play Store, known as droppers, which facilitate the installation of the malware by circumventing Google’s security measures.
In a previous campaign disclosed in June 2023, Anatsa targeted banking customers in the U.S., the U.K., Germany, Austria, and Switzerland, using dropper apps collectively downloaded over 30,000 times from the Play Store. The trojan is capable of gaining full control over infected devices, executing actions on behalf of victims, and stealing credentials for fraudulent transactions.
The latest campaign observed in November 2023 featured a dropper disguised as a phone cleaner app named “Phone Cleaner – File Explorer.” Although this app is no longer available for download on the Google Play Store, it can still be obtained from third-party sources. The dropper initially appeared harmless but was later updated to execute malicious actions, such as automatically clicking buttons, once it received a configuration from the command-and-control server.
Notably, the dropper’s abuse of the accessibility service is tailored to Samsung devices, suggesting it was designed to target these devices specifically. However, other droppers used in the campaign have been found to target devices from other manufacturers as well.
The droppers employ a multi-staged approach to avoid detection, dynamically downloading configuration and APK payloads from the command-and-control server. This targeted approach enables threat actors to concentrate on a limited number of financial organizations, leading to a high number of fraud cases in a short period.
To defend against the Anatsa trojan, avoid downloading apps from unofficial sources and regularly update your device’s operating system and applications. Enable Google Play Protect to scan for potentially harmful apps on your device. Be vigilant when granting permissions to apps and stay informed about the latest security threats and best practices.