A sophisticated Android banking trojan, Anatsa, has infiltrated Google Play, infecting approximately 90,000 users in North America. Disguised as a "PDF Update" within a document viewer app, the malware employs deceptive overlays and device-takeover tactics to steal credentials and initiate fraudulent transactions, highlighting a persistent threat to mobile banking security.

Anatsa's Deceptive Tactics Unveiled

Cybersecurity researchers have identified a significant campaign involving the Anatsa banking trojan, also known as TeaBot and Toddler. This malware has been active since at least 2020, consistently leveraging Google Play as a distribution channel. The latest iteration targeted users in the United States and Canada, masquerading as a legitimate document viewer application.

Key Takeaways

• Anatsa, a banking trojan, infected 90,000 users via a fake PDF app on Google Play.

• The malware uses deceptive overlays and device-takeover fraud to steal banking credentials.

• It operates by initially publishing benign apps, then embedding malicious code through updates.

• The campaign targeted North American users, specifically financial institutions.

• Google has removed the identified malicious apps and Google Play Protect offers user protection.

How the Trojan Operates

Anatsa's modus operandi involves a calculated multi-stage strategy to bypass detection and maximize its reach:

1. Initial Legitimate App: A developer profile is established on Google Play, and a seemingly legitimate app is published. The app, in this case, "Document Viewer - File Reader," functions as advertised to gain user trust and a substantial user base.

2. Malicious Update: After the app accumulates thousands of downloads, an update is deployed. This update embeds malicious code, which then downloads and installs Anatsa as a separate application on the device.

3. Dynamic Targeting: The installed malware receives a dynamic list of targeted financial and banking institutions from an external server. This enables the attackers to perform various malicious activities:Credential theft through overlay attacks.Keylogging to capture user inputs.Device-Takeover Fraud (DTO) to initiate automated fraudulent transactions.

Impact and Detection Evasion

The app, published by "Hybrid Cars Simulator, Drift & Racing," was first released on May 7, 2025, and quickly gained popularity, reaching the fourth spot in the "Top Free - Tools" category by June 29, 2025. Its distribution window was short but impactful, from June 24 to June 30, during which it amassed approximately 90,000 downloads.

A key feature of Anatsa is its ability to display a fake maintenance notice when users attempt to access their banking applications. This tactic serves a dual purpose: it conceals the ongoing malicious activity and prevents victims from contacting their banks, thereby delaying the detection of financial fraud.

Following the discovery, Google has removed all identified malicious apps from Google Play. Users are automatically protected by Google Play Protect, which is designed to warn or block apps exhibiting malicious behavior on Android devices with Google Play Services.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Anatsa Android Banking Trojan Hits 90,000 Users with Fake PDF App on Google Play, The Hacker News.