Researchers at Zscaler have identified over 90 malicious Android apps on the Google Play store [4] [5], with the TeaBot Android malware [2], also known as Anatsa [1] [3] [6], being a sophisticated banking Trojan targeting global financial applications [3].


These apps act as decoys and spread the Anatsa malware, which uses overlay and accessibility techniques to steal sensitive banking credentials and financial information [4]. The malware employs dropper applications like PDF and QR code readers to deceive users into installing the malicious payload [3]. Anatsa evades Google Play’s malware detection by downloading malicious code disguised as innocuous updates from a command-and-control server. Once installed, the malware scans for banking apps on the device [5], communicates with the C2 server [2] [4], and retrieves a list of targeted financial apps for code injections [4]. It then provides fake login pages for these apps to steal user credentials [4]. Anatsa primarily targets over 650 financial institutions primarily in Europe [2] [3], with recent expansions to the US [2], UK [2] [4] [5] [6], Germany [2] [5], Spain [2] [5], Finland [2] [5], South Korea [2] [3] [4] [5], and Singapore [2] [3] [4] [5]. The threat actors behind Anatsa use various evasion techniques to avoid detection [3], including checking for virtual environments and purposely corrupting APK ZIP headers [3]. The malware conceals its final payload within asset files [2], decrypts DEX files using static keys [2], and communicates with C2 servers to steal data from financial applications [2]. Advanced evasion techniques [3] [7], such as dynamic code loading and encrypted command-and-control communications [7], are utilized by the malware [7]. The TeaBot malware [6], also known as Anatsa banking Trojan [6], has been found in over 90 malicious Android apps on the Google Play store [5], with over 5.5 million downloads [4] [6]. These apps initially appear harmless but deliver a second-stage payload containing malicious code once installed [6]. Anatsa targets banking apps [6], communicating with a command-and-control server to steal login details and money [6]. While primarily affecting UK financial institutions [6], victims have been reported in other countries as well [6].


Zscaler researchers have likely alerted Google to take action [6], emphasizing the importance of downloading apps from trusted sources [6]. The impact of the TeaBot Android malware, also known as Anatsa [1] [3] [6], on global financial applications is significant [4], with over 90 malicious apps identified on the Google Play store. Mitigating the threat posed by this sophisticated banking Trojan requires increased awareness and vigilance among users and app store platforms. Future implications include the need for enhanced security measures and collaboration among cybersecurity experts to combat evolving threats in the mobile app ecosystem.