Close Menu
    DevStackTipsDevStackTips
    • Home
    • News & Updates
      1. Tech & Work
      2. View All

      Sunshine And March Vibes (2025 Wallpapers Edition)

      May 16, 2025

      The Case For Minimal WordPress Setups: A Contrarian View On Theme Frameworks

      May 16, 2025

      How To Fix Largest Contentful Paint Issues With Subpart Analysis

      May 16, 2025

      How To Prevent WordPress SQL Injection Attacks

      May 16, 2025

      Microsoft has closed its “Experience Center” store in Sydney, Australia — as it ramps up a continued digital growth campaign

      May 16, 2025

      Bing Search APIs to be “decommissioned completely” as Microsoft urges developers to use its Azure agentic AI alternative

      May 16, 2025

      Microsoft might kill the Surface Laptop Studio as production is quietly halted

      May 16, 2025

      Minecraft licensing robbed us of this controversial NFL schedule release video

      May 16, 2025
    • Development
      1. Algorithms & Data Structures
      2. Artificial Intelligence
      3. Back-End Development
      4. Databases
      5. Front-End Development
      6. Libraries & Frameworks
      7. Machine Learning
      8. Security
      9. Software Engineering
      10. Tools & IDEs
      11. Web Design
      12. Web Development
      13. Web Security
      14. Programming Languages
        • PHP
        • JavaScript
      Featured

      The power of generators

      May 16, 2025
      Recent

      The power of generators

      May 16, 2025

      Simplify Factory Associations with Laravel’s UseFactory Attribute

      May 16, 2025

      This Week in Laravel: React Native, PhpStorm Junie, and more

      May 16, 2025
    • Operating Systems
      1. Windows
      2. Linux
      3. macOS
      Featured

      Microsoft has closed its “Experience Center” store in Sydney, Australia — as it ramps up a continued digital growth campaign

      May 16, 2025
      Recent

      Microsoft has closed its “Experience Center” store in Sydney, Australia — as it ramps up a continued digital growth campaign

      May 16, 2025

      Bing Search APIs to be “decommissioned completely” as Microsoft urges developers to use its Azure agentic AI alternative

      May 16, 2025

      Microsoft might kill the Surface Laptop Studio as production is quietly halted

      May 16, 2025
    • Learning Resources
      • Books
      • Cheatsheets
      • Tutorials & Guides
    Home»Development»Anatsa Banking Trojan Found in PDF and QR Code Reader Apps on Google Play Store

    Anatsa Banking Trojan Found in PDF and QR Code Reader Apps on Google Play Store

    May 28, 2024

    Researchers have observed a significant increase in attempts to spread the Anatsa Banking Trojan under the veil of legitimate-looking PDF and QR code reader apps on the Google Play store.

    Also known as TeaBot, the malware employs dropper applications that appear harmless to users, deceiving them into unwittingly installing the malicious payload, said researchers at cybersecurity firm Zscaler.

    Once installed, Anatsa extracts sensitive banking credentials and financial information from various global financial applications. It achieves this through overlay and accessibility techniques, allowing it to discreetly intercept and collect data.

    Distribution and Impact of Anatsa Banking Trojan

    Two malicious payloads linked to Anatsa were found in the Google Play store, distributed by threat actors. The campaign impersonated PDF reader and QR code reader applications to attract numerous installations. The high number of installations, which had surpassed 70,000 at the time of analysis, further convinced victims of the applications’ legitimacy.

    Anatsa employs remote payloads retrieved from Command and Control (C&C) servers to perform additional malicious activities. The dropper application contains encoded links to remote servers, from which the subsequent stage payload is downloaded. Along with the payload, the malware fetches a configuration file from the remote server to execute the next stage of the attack.

    Anatsa Infection Steps

    The Anatsa banking trojan works by employing a dropper application and executing a payload to launch its malicious activities.

    Dropper Application:

    The fake QR code application downloads and loads the DEX file.
    The application uses reflection to invoke code from the loaded DEX file.
    Configuration for loading the DEX file is downloaded from the C&C server.

    Payload Execution:

    After downloading the next stage payload, Anatsa performs checks on the device environment to detect analysis environments and malware sandboxes.
    Upon successful verification, it downloads the third and final stage payload from the remote server.

    Malicious Activities:

    The malware injects uncompressed raw manifest data into the APK, deliberately corrupting the compression parameters in the manifest file to hinder analysis.
    Upon execution, the malware decodes all encoded strings, including those for C&C communication.
    It connects with the C&C server to register the infected device and retrieve a list of targeted applications for code injections.

    Data Theft:

    After receiving a list of package names for financial applications, Anatsa scans the device for these applications.
    If a targeted application is found, Anatsa communicates this to the C&C server.
    The C&C server then supplies a counterfeit login page for the banking operation.
    This fake login page, displayed within a JavaScript Interface (JSI) enabled web view, tricks users into entering their banking credentials, which are then transmitted back to the C&C server.

    Anatsa Banking Trojan Attack Chain (Source: Zscaler)

    The Anatsa banking trojan is increasing in prevalence and infiltrates the Google Play store disguised as benign applications. Using advanced techniques such as overlay and accessibility, it stealthily exfiltrates sensitive banking credentials and financial data. By injecting malicious payloads and employing deceptive login pages, Anatsa poses a significant threat to mobile banking security.

    Best Practices to Stop the Anatsa Trojan

    To protect against such threats, Cyble’s Research and Intelligence Labs suggests following essential cybersecurity best practices:

    Install Software from Official Sources: Only download software from official app stores like the Google Play Store or the iOS App Store.
    Use Reputable Security Software: Ensure devices, including PCs, laptops, and mobile devices, use reputable antivirus and internet security software.
    Strong Passwords and Multi-Factor Authentication: Use strong passwords and enable multi-factor authentication whenever possible.
    Be Cautious with Links: Be careful when opening links received via SMS or emails.
    Enable Google Play Protect: Always have Google Play Protect enabled on Android devices.
    Monitor App Permissions: Be wary of permissions granted to applications.
    Regular Updates: Keep devices, operating systems, and applications up to date.

    By adhering to these practices, users can establish a robust first line of defense against malware and other cyber threats, Cyble researchers said.

    Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

    Source: Read More

    Facebook Twitter Reddit Email Copy Link
    Previous ArticleRansomHub Claims Responsibility for Christie’s Cyberattack
    Next Article Hacker Claims Ticketmaster Data Breach: 560M User Details and Card Info at Risk

    Related Posts

    Security

    Nmap 7.96 Launches with Lightning-Fast DNS and 612 Scripts

    May 16, 2025
    Common Vulnerabilities and Exposures (CVEs)

    CVE-2025-47916 – Invision Community Themeeditor Remote Code Execution

    May 16, 2025
    Leave A Reply Cancel Reply

    Continue Reading

    Introducing Amazon Kendra GenAI Index – Enhanced semantic search and retrieval capabilities

    Development

    Quantum Issues Critical Patch for StorNext GUI RCE Vulnerabilities (CVE-2025-46616, CVE-2025-46617)

    Security

    1 in 5 top companies mention generative AI in their financial reports, but not in a good way

    Development

    Revolutionizing Supply Chains: How Blockchain Boosts Transparency & Security

    Web Development

    Highlights

    What Are the Different Font Styles?

    April 28, 2025

    Fonts do more than just carry words; they set the tone, express personality, and influence…

    The 8 best early Amazon Prime Day Kindle deals

    July 8, 2024

    Best Free and Open Source Alternatives to Microsoft Sound Recorder

    June 29, 2024

    XEphem – Serious Interactive Astronomical Software Ephemeris

    February 6, 2025
    © DevStackTips 2025. All rights reserved.
    • Contact
    • Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.