A potentially harmful Android banking trojan has been identified within the Google Play Store, masquerading as a common document reader application. This app, which has been downloaded over 100,000 times, poses a substantial risk to Android users, threatening financial security and personal data integrity.
The Rise of Anatsa Trojan
The malware, recognized as Anatsa or TeaBot, first emerged in 2020. It has since developed into a sophisticated threat, notorious for its ability to steal banking credentials, log keystrokes, and perform unauthorized transactions, all without alerting the victim. The latest version broadens its scope to target over 831 financial institutions worldwide, including banks, investment firms, and cryptocurrency platforms.
Research Findings and App Disguise
Research conducted by Zscaler ThreatLabz, presented in a report to Cyber Security News, pinpointed the malicious app as a dropper camouflaged as a file manager and document reader. The application initially appears benign but secretly downloads the Anatsa payload from a remote server, bypassing Google’s security checks in the process.
The app cleverly conceals its true nature. When active, it operates as a legitimate file manager if it detects an analysis environment or cannot connect to its command-and-control server, making early detection challenging for users and security professionals alike.
Technical Concealment and User Exploitation
Once Anatsa is fully operational, it requests accessibility permissions from users. Upon gaining these permissions, it quietly enables extensive access, allowing it to read SMS messages, display alerts, and run in full-screen mode. This access permits the malware to monitor user activities silently.
The malicious app, listed under the package name com.westhorizont.appsforge.filehorizon_explorereaddocuments, connects to a remote server to download the trojan payload disguised as an app update. It employs advanced techniques like runtime string decryption to evade detection by static analysis tools.
Anatsa’s strategy involves overlaying fake login screens on top of legitimate financial apps, tricking users into disclosing their credentials. The trojan also includes a keylogger to capture user input, encrypting its communications to prevent detection by network monitors.
Protection and Precautionary Measures
To mitigate risks, Android users should scrutinize app permissions, especially if a document reader requests access to SMS or accessibility settings. It is advisable to download apps from verified developers, check recent user reviews, and keep Google Play Protect enabled to stay safe.
Indicators of compromise include specific MD5 hashes and URLs associated with the Anatsa trojan. Users are encouraged to remain vigilant and use controlled threat intelligence platforms for further analysis.
For more updates, follow our channels on Google News, LinkedIn, and X, and set CSN as your preferred news source in Google.
