Cybersecurity researchers have found an Android banking malware marketing campaign that has leveraged a trojan named Anatsa to focus on customers in North America utilizing malicious apps revealed on Google’s official app market.
The malware, disguised as a “PDF Replace” to a doc viewer app, has been caught serving a misleading overlay when customers try and entry their banking utility, claiming the service has been briefly suspended as a part of scheduled upkeep.
“This marks not less than the third occasion of Anatsa focusing its operations on cellular banking prospects in america and Canada,” Dutch cellular safety firm ThreatFabric stated in a report shared with The Hacker Information. “As with earlier campaigns, Anatsa is being distributed by way of the official Google Play Retailer.”
Anatsa, additionally known as TeaBot and Toddler, has been identified to be energetic since not less than 2020, sometimes delivered to victims by way of dropper apps.
Early final yr, Anatsa was discovered to have focused Android system customers in Slovakia, Slovenia, and Czechia by first importing benign apps masquerading as PDF readers and cellphone cleaners to the Play Retailer after which introducing malicious code per week after launch.
Like different Android banking trojans, Anatsa is able to offering its operators with options designed to steal credentials by overlay and keylogging assaults, and conduct System-Takeover Fraud (DTO) to provoke fraudulent transactions from sufferer’s units.
ThreatFabric stated Anatsa campaigns observe a predictable, however well-oiled, course of that includes establishing a developer profile on the app retailer after which publishing a reputable app that works as marketed.
“As soon as the appliance features a considerable person base – typically within the 1000’s or tens of 1000’s of downloads – an replace is deployed, embedding malicious code into the app,” the corporate stated. “This embedded code downloads and installs Anatsa on the system as a separate utility.”
The malware then receives a dynamic checklist of focused monetary and banking establishments from an exterior server, enabling the attackers to carry out credential theft for account takeover, keylogging, or absolutely automated transactions utilizing DTO.
A vital issue that permits Anatsa to evade detection in addition to preserve a excessive success fee is its cyclical nature the place the assaults are interspersed by intervals of no exercise.
The newly found app concentrating on North American audiences masquerades as a Doc Viewer (APK package deal identify: “com.stellarastra.maintainer.astracontrol_managerreadercleaner”) and is revealed by a developer named “Hybrid Automobiles Simulator, Drift & Racing.” Each the app and the related developer account are now not accessible on the Play Retailer.
Statistics from Sensor Tower present that the app was first revealed on Might 7, 2025, reaching the fourth spot within the “High Free – Instruments” class on June 29, 2025. It is estimated to have been downloaded round 90,000 instances.
“This dropper adopted Anatsa’s established modus operandi: initially launched as a reputable app, it was reworked right into a malicious one roughly six weeks after launch,” ThreatFabric stated. “The distribution window for this marketing campaign was quick but impactful, operating from 24 to 30 June.”
The Anatsa variant, per the corporate, can be configured to focus on a broader set of banking apps in america, reflective of the malware’s rising give attention to exploiting monetary entities within the area.
One other intelligent characteristic integrated into the malware is its capacity to show a faux upkeep discover when attempting to entry the goal banking utility. This tactic not solely conceals the malicious exercise occurring inside the app, but in addition prevents prospects from contacting the financial institution’s assist crew, thereby delaying detection of economic fraud.
“The newest operation not solely broadened its attain but in addition relied on well-established ways geared toward monetary establishments within the area,” ThreatFabric stated. “Organizations within the monetary sector are inspired to evaluate the offered intelligence and assess any potential dangers or impacts on their prospects and methods.”
