Cybersecurity firm ThreatFabric identified a malware campaigns which are designed to deliver Anatsa (aka TeaBot), Alien, ERMAC, and Hydra, are not only more refined, but also engineered to have a small malicious footprint. Additionally it ensures that the payloads are installed only on smartphones devices from specific regions and preventing the malware from being downloaded during the publishing process.

Since June 2021, ThreatFabric has found six Anatsa droppers on the Play Store, each of which is programmed to download a “update” before demanding users to grant it permissions to install apps from unknown third-party sources and access to the Accessibility Service.

Brunhilda, a threat actor first discovered in July 2021 for delivering the Vultur remote access trojan, used trojanized apps posing as QR code maker apps to distribute Hydra and ERMAC malware to users in the United States, a market ignored by the two malware families.

Between August and November 2021, four different Android banking trojans were propagated through the official Google Play Store, resulting in over 300,000 infections using multiple dropper apps that posed as seemingly harmless utility apps to take complete control of afflicted devices.

Once installed, these banking trojans can steal user passwords and SMS-based two-factor authentication credentials such as keystrokes, screenshots, and even drain users’ bank accounts without their awareness, thanks to a technology known as Automatic Transfer System (ATSs). Since then, the apps have been withdrawn from the Play Store.

The list of malicious dropper apps is below –

  • Two Factor Authenticator (com.flowdivison)
  • Protection Guard (
  • QR CreatorScanner (com.ready.qrscanner.mix)
  • Master Scanner Live (com.multifuction.combine.qr)
  • QR Scanner 2021 (com.qr.code.generate)
  • QR Scanner (com.qr.barqr.scangen)
  • PDF Document Scanner – Scan to PDF (com.xaviermuches.docscannerpro2)
  • PDF Document Scanner Free (
  • CryptoTracker (
  • Gym and Fitness Trainer (com.gym.trainer.jeux)

A fitness training dropper app called GymDrop was discovered delivering the Alien banking trojan payload by creating a fake it as a “new package of workout exercises,” even as its essentially legitimate developer website doubles as the C2 server to fetch the configuration required to download the malware.

Finally the Researchers concluded that “To make themselves even more difficult to identify.  The actors behind these dropper programmes only manually start the installation of the banking trojan on an infected device if they want more victims in a specific region of the world.” “This makes automated detection a considerably more difficult method for any firm to adopt.”

Indicators Of Compromise

Brunhilda Dropper Samples

App namePackage nameSHA-256
Two Factor Authenticatorcom.flowdivisona3bd136f14cc38d6647020b2632bc35f21fc643c0d3741caaf92f48df0fc6997
Protection Guardcom.protectionguard.appd3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a
QR CreatorScannercom.ready.qrscanner.mixed537f8686824595cb3ae45f0e659437b3ae96c0a04203482d80a3e51dd915ab
Master Scanner Livecom.multifuction.combine.qr7aa60296b771bdf6f2b52ad62ffd2176dc66cb38b4e6d2b658496a6754650ad4

Brunhilda Dropper C2 URL


Anatsa Dropper Samples

App namePackage nameSHA-256
QR Scanner 2021com.qr.code.generate2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb
QR Scannercom.qr.barqr.scangend4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4
PDF Document Scanner – Scan to PDFcom.xaviermuches.docscannerpro22080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5
PDF Document Scannercom.docscanverifier.mobile974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544
PDF Document Scanner Freecom.doscanner.mobile16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d

Anatsa Dropper C2 URL


Gymdrop Dropper Samples

App namePackage nameSHA-256
Gym and Fitness Trainercom.gym.trainer.jeux30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b
Gym and Fitness Trainercom.gym.trainer.jeuxb3c408eafe73cad0bb989135169a8314aae656357501683678eff9be9bcc618f

Gymdrop Dropper C2 URL


Malware Samples dropped

Malware FamilyApp namePackage nameSHA-256
Alien.AMaster Scanner Liveleaf.leave.exchang74407e40e1c01e73087442bcdf3a0802121c4263ab67122674d9d09b3edf856e
Alien.AGym and Fitness Trainergesture.enlist.saye8cbcc34af3bd352767b7a9270dd684a50da2e68976a3712675526a7398550a0
Anatsa.APDF AI : TEXT RECOGNIZERcom.uykxx.noazgd42e0d3db3662e809af3198da67fdbd46d5c2a1052b5945401e4cdd06c197714
Hydra.CQR CreatorScannercom.cinnamon.equal9ab66c1b7db44abaa53850a3d6a9af36c8ad603dab6900caba592497f632349f
Ermac.AQR CreatorScannercom.tag.rightfd7e7e23db5f645db9ed47a5d36e7cf57ca2dbdf46a37484eafa1e04f657bf0

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s