The discovery of these malicious apps highlights the ongoing threat posed by Android malware and the need for users to remain vigilant when using mobile applications.

The latest variant of the Anatsa trojan no longer relies on dynamic code loading but directly installs its payload, making infections faster and harder to stop.

"Unlike in previous campaigns, the latest Anatsa campaigns implement various anti-analysis techniques," reads the report published by ZScaler. "The parent installer now decrypts each string at runtime using a dynamically generated Data Encryption Standard (DES) key, making it more resistant to static analysis tools."

“Anatsa continues to evolve and improve with anti-analysis techniques to better evade detection,” concludes the report. "The malware has also added support for more than 150 new financial applications to target."

The malware is also capable of capturing banking credentials through fake login pages tailored to detected apps, and requests accessibility permissions to auto-enable dangerous privileges. It then establishes XOR-encrypted C2 communication with its command and control (C2) server.

"Our research demonstrates the techniques that Anatsa and other Android malware families leverage for distribution through the official Google Play Store," concludes the report. "Android users should always verify the permissions that applications request, and ensure that they align with the intended functionality of the application."