More than 800 financial organizations around the world have been targeted by new attack campaigns involving the latest iteration of the Anatsa Android banking trojan, also known as TeaBot, which is more covert and persistent than before, according to Cyber Security News.
Attackers have leveraged numerous apps with over 50,000 installations each to facilitate the direct deployment of the new Anatsa variant, a report from Zscaler ThreatLabz researchers showed. Installation of the updated Anatsa version then prompts accessibility permission requests and automated critical system privilege activation, with the payload using a single-byte XOR encryption key for command-and-control server communications to ensure persistence on impacted systems. Aside from utilizing Data Encryption Standard runtime decryption to hinder static analysis, the malware also harnesses invalid compression and encryption flags for DEX file obfuscation. Such a development comes half a decade after the initial discovery of the Anatsa trojan.
