Android Document Readers and Deception: Tracking the Latest Updates to Anatsa

Introduction

The Zscaler ThreatLabz team continually monitors and analyzes malicious applications distributed by threat actors via the Google Play Store. Last year, ThreatLabz reported on Anatsa malware (a.k.a. TeaBot) that attacks Android devices and targets financial applications. Anatsa, first discovered in 2020, is capable of stealing credentials, monitoring keystrokes, and facilitating fraudulent transactions.

In this blog post, ThreatLabz dives into Anatsa’s latest malware developments and provides insights into overall malware distribution trends in the Google Play Store.

Key Takeaways

• Anatsa malware first emerged in 2020 as an Android banking trojan capable of credential theft, keylogging, and enabling fraudulent transactions.
• The latest variant of Anatsa targets over 831 financial institutions worldwide, adding new countries like Germany and South Korea, as well as cryptocurrency platforms.
• Anatsa streamlined payload delivery by replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the Anatsa payload.
• Anatsa implemented Data Encryption Standard (DES) runtime decryption and device-specific payload restrictions.
• Many of the decoy Antasta applications have individually exceeded 50,000 downloads.
• Alongside Anatsa, ThreatLabz identified and reported 77 malicious apps from various malware families to Google, collectively accounting for over 19 million installs.

Overview

Anatsa is a well-documented Android banking malware known for targeting users of financial applications. While previous Anatsa campaigns targeted over 650 financial institutions in regions including Europe, the US, and the UK, the latest campaigns have significantly expanded this scope to more than 831 financial institutions globally. This includes more than 150 new banking and cryptocurrency applications.

Anatsa uses a dropper technique, where the threat actors use a decoy application in the official Google Play Store that appears benign upon installation. Once installed, Anatsa silently downloads a malicious payload disguised as an update from its command-and-control (C2) server. This approach allows Anatsa to bypass Google Play Store detection mechanisms and successfully infect devices.

The figure below shows an example Anatsa decoy application masquerading as a document reader:

Figure 1: Example of an Anatsa decoy application in the Google Play Store.

Technical Analysis 

Unlike in previous campaigns, the latest Anatsa campaigns implement various anti-analysis techniques. The parent installer now decrypts each string at runtime using a dynamically generated Data Encryption Standard (DES) key, making it more resistant to static analysis tools. Furthermore, Anatsa has enhanced its evasion strategies by performing emulation checks and verifying device models to bypass dynamic analysis environments. 

After confirming that the C2 server is active and the device meets the necessary criteria, the installer proceeds to download Anatsa as an update. If these conditions are not met, the application displays a file manager view to the user, maintaining the appearance of a legitimate application, as shown in the figure below.

Figure 2: Example behavior of the Anatsa installer depending on the result of anti-analysis checks.

To evade detection across infected systems, the application package name and installation hash are periodically altered.

The core payload has been updated to incorporate a new keylogger variant of Anatsa. Additionally, the malware utilizes a well-known Android APK ZIP obfuscator for enhanced evasion. The DEX payload is concealed within a JSON file, which is dynamically dropped at runtime and promptly deleted after being loaded.

The APK uses a corrupted archive to hide a DEX file, which is deployed during runtime. This archive has invalid compression and encryption flags, making it hard for static analysis tools to detect. Since these tools depend on standard ZIP header checks in Java libraries, they fail to process the application. Despite this, the application will run on standard Android devices.

The figure below shows a malformed archive used by Anatsa to evade analysis.

Figure 3: Example headers of a malformed archive used by Anatsa to evade analysis.

Once installed, Anatsa requests accessibility permissions from the user. If granted, the malware automatically enables all the permissions specified in its manifest file, which include the following:

• SYSTEM_ALERT_WINDOW
• READ_SMS
• RECEIVE_SMS
• USE_FULL_SCREEN_INTENT

Anatsa connects to the server to request specific commands and encrypts C2 communication using a single byte XOR key (66 in decimal). The following JSON structure contains an example of Anatsa’s configuration data.

{
 "hide_sms": null,
 "gauth_confirm": null,
 "lock_device": null,
 "extensive_logging": null,
 "injects_version": 254,
 "keyloggers_version": 403,
 "commands": null,
 "installed_apps_count": 37,
 "domains": [
   "http://185.215.113.108:85/api/",
   "http://193.24.123.18:85/api/",
   "http://162.252.173.37:85/api/"
 ],
 "active_injects": null
}

Anatsa primarily exfiltrates credentials by displaying fake banking login pages, which are downloaded from its C2 server. These pages are tailored based on the financial institution applications detected on the user's device.

The list of financial institutions and corresponding injection pages targeted by Anatsa appears to be a work in progress and continues to evolve. Out of the 831 applications targeted for keylogging, many of these injection pages were incomplete or unavailable. For example, the injection content at the time of analysis for the Robinhood application is shown below: 

{
 "application": "com.robinhood.android",
 "html": "Scheduled maintenance We're working on enhancements and will have  things back up and running soon. Thanks for your patience.",
 "inj_type": "bank"
}

Google Play Store Trends

Alongside Anatsa, ThreatLabz identified and reported 77 malicious apps from various malware families to Google, collectively accounting for over 19 million installs. The following graph highlights the application categories most exploited by threat actors to distribute malware through the Google Play Store.

Figure 4: A breakdown of the most common malicious Android application types in the Google Play Store discovered by ThreatLabz.

The graph below illustrates the malware families detected by ThreatLabz in the Google Play Store.

Figure 5: A breakdown of the most frequently observed malware families in the Google Play Store.

ThreatLabz identified a sharp rise in adware applications on the Google Play Store alongside malware, such as Joker, Harly, and banking trojans like Anatsa. Conversely, there has been a noticeable decline in malware families such as Facestealer and Coper.

Conclusion

Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection. The malware has also added support for more than 150 new financial applications to target. Our research demonstrates the techniques that Anatsa and other Android malware families leverage for distribution through the official Google Play Store. Android users should always verify the permissions that applications request, and ensure that they align with the intended functionality of the application.

Zscaler Coverage

Zscaler’s multilayered cloud security platform detects indicators related to Anatsa at various levels with the following threat names:

• Android.Banker.Anatsa
• AND/Agent5.AE
• AndroidOS/Agent.BOI

Indicators Of Compromise (IOCs)