Android Malware ‘Anatsa’ Returns to Google Play to Target Banking Apps Across the U.S.

The Anatsa banking trojan resurfaced on Google Play, disguised as a PDF app, targeting U.S. users with credential theft overlays on popular mobile banking apps.
Android Malware ‘Anatsa’ Returns to Google Play to Target Banking Apps Across the U.S.
Table of Contents
    Add a header to begin generating the table of contents

    Anatsa Malware Masquerades as File Reader App in Latest Android Campaign

    Anatsa, a well-known Android banking trojan, has once again bypassed Google Play security, this time hiding behind a file viewer app called ‘Document Viewer – File Reader’. Before being removed, the app had been downloaded more than 50,000 times.

    The malware campaign specifically targeted banking users in the United States by using deceptive overlays, keylogging, and backdoor access to automate fraudulent transactions. Researchers at Threat Fabric discovered the campaign and confirmed that the app was published by a fake developer account named ‘Hybrid Cars Simulator, Drift & Racing’.

    From Innocent App to Trojan Downloader

    The attack followed a familiar strategy. Initially, the app appeared clean and functional, gaining trust from users and passing Google’s app review checks. However, between June 24 and June 30, the app began retrieving a malicious payload from a remote server. This payload activated the full capabilities of the Anatsa malware.

    Once deployed, the malware connected to a command-and-control server, identified which banking apps were installed on the device, and waited. When the user opened one of these apps, Anatsa overlaid a fake screen asking for login information. In one case, it displayed a message resembling a routine maintenance notice:

    “This message disguises the trojan’s activity in the background and prevents victims from seeing or responding to unauthorized transactions,” said Threat Fabric.

    Credential Theft and Automated Fraud

    Anatsa is designed for stealth and efficiency. It silently collects login credentials through fake interfaces and may initiate fraudulent activity without the victim noticing. Keylogging is also used to collect credentials across apps.

    The malware’s goal is simple—harvest and use login details to access real accounts. The campaign was especially dangerous due to how convincingly the overlays mimicked legitimate banking apps.

    A Recurring Threat in Google Play

    This isn’t the first time Anatsa has been found in Google Play:

    • In November 2021, Anatsa apps reached 300,000 installs
    • In June 2023, another campaign infected over 30,000 users
    • In February 2024, it resurfaced with 150,000 downloads
    • In May 2024, two infected apps were downloaded by 70,000 users

    In each case, the apps posed as productivity or utility tools like QR code scanners or PDF readers.

    Protective Measures for Mobile Banking Users

    Google has since removed the latest infected app, but users are still advised to check their devices. If you installed Document Viewer – File Reader, delete it immediately. Users should also:

    • Reset passwords for affected banking apps
    • Enable two-factor authentication
    • Monitor accounts for suspicious activity
    • Install mobile security software
    • Avoid apps from unknown developers

    Anatsa remains one of the most persistent Android banking trojans and continues to adapt its tactics to slip past security filters. As mobile banking grows, malware like Anatsa will keep looking for new ways in. Stay alert.

    Related Posts