Security researchers at ThreatLabz recently uncovered a sophisticated malware campaign operating through the Google Play Store, leveraging a seemingly benign application to distribute the Anatsa banking trojan (also known as TeaBot).
The malicious app, disguised as a file manager and document reader, accumulated over 220,000 downloads before its removal, marking one of the most significant Android-based threats identified in 2025.
Discovery and Deployment of the Malicious Application
ThreatLabz detected the fraudulent application during routine analysis of Google Play offerings.
🦠ThreatLabz recently identified a popular application in the Google Play store with over 220,000 downloads that was actually a downloader for the Anatsa (aka TeaBot) Android banking trojan. The app was disguised as a file manager and document reader.
— Zscaler ThreatLabz (@Threatlabz) March 5, 2025
After installation, Anatsa… pic.twitter.com/5x4YInMpp1
.png
)
The app presented itself as a functional file management tool, complete with document preview capabilities and cloud storage integration.
This legitimate facade allowed it to bypass automated security checks during the initial vetting process.
Upon installation, the app executed a multi-stage payload retrieval process. Users were prompted to grant accessibility permissions under the guise of enhancing functionality.
Once authorized, the application connected to a command-and-control server to download the Anatsa payload, effectively transforming infected devices into vectors for financial fraud.
Technical Analysis of the Anatsa Banking Trojan
Anatsa operates through a combination of overlay attacks and credential harvesting. When users launch banking applications, the trojan superimposes fake login screens identical to legitimate interfaces.
Captured credentials are then transmitted to attacker-controlled servers.
ThreatLabz analysis confirms Anatsa targets financial institutions across North America, Europe, and Asia, with particular focus on mobile banking platforms.
The malware incorporates advanced evasion techniques, including delayed payload activation and encrypted communication channels.
Post-infection, it establishes persistence through repeated checks for accessibility service permissions and disguises its presence using generic system application icons.
Geographic Distribution and Target Demographics
While the complete geographic distribution remains under investigation, initial telemetry data suggests concentrated infection rates in regions with high mobile banking adoption.
The application’s multilingual interface—supporting English, Spanish, German, and French—indicates a broad targeting strategy aimed at global users.
Google removed the application from the Play Store within 48 hours of ThreatLabz’s disclosure.
However, the prolonged presence of the malicious app (estimated at 8 weeks before detection) raises concerns about gaps in automated screening processes.
Google has initiated a mass uninstallation campaign for affected devices, though manual removal remains necessary for users who disabled automatic updates.
Security professionals advise affected users to:
- Perform factory resets to eliminate residual malware components
- Monitor financial accounts for unauthorized transactions
- Enable Google Play Protect with real-time scanning
- Avoid granting accessibility permissions to unfamiliar applications
Organizations should consider implementing mobile threat defense solutions capable of detecting overlay attacks and anomalous network traffic patterns.
Ongoing investigations aim to identify the threat actors behind this campaign, with preliminary evidence suggesting ties to Eastern European cybercrime syndicates.
As mobile banking continues to expand, such attacks highlight the critical importance of user education and multi-layered security approaches in mitigating financial cyberthreats.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
