A sophisticated Android banking trojan campaign leveraging a malicious file manager application accumulated over 220,000 downloads on the Google Play Store before its removal. According to the Zscaler ThreatLabz post shared on X, the malicious app, disguised as a “File Manager and Document Reader,” functioned as a dropper, a seemingly benign application that retrieves and installs additional payloads from remote servers. The malware’s target list encompasses over 600 banking and cryptocurrency apps, enabling threat actors to conduct on-device fraud (ODF) by initiating unauthorized transfers via automated transaction systems (ATS). While Google has removed the identified dropper, similar threats remain prevalent, often exploiting file managers and utility apps to evade suspicion. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The trojan then establishes communication with command-and-control (C2) servers, transmitting device metadata and receiving targeted banking app profiles. For each detected financial app (e.g., PayPal, HSBC, Santander), Anatsa injects a counterfeit login overlay, capturing credentials directly from unsuspecting users. For end-users, vigilance and adherence to basic security hygiene remain critical defenses against evolving mobile threats. Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. Dubbed Anatsa (also known as TeaBot), the malware targets global financial institutions through a multi-stage infection process. The malware performs anti-emulation checks to detect sandboxed environments, delaying malicious activity until it confirms a genuine device. It deploys fake login overlays and abuses accessibility services to steal credentials and execute unauthorized transactions. This update, hosted on GitHub repositories, contained the Anatsa banking trojan. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 06 Mar 2025 07:55:13 +0000