Cybersecurity researchers have found an Android banking malware marketing campaign that has leveraged a trojan named Anatsa to focus on customers in North America utilizing malicious apps printed on Google’s official app market.
The malware, disguised as a “PDF Replace” to a doc viewer app, has been caught serving a misleading overlay when customers try to entry their banking software, claiming the service has been quickly suspended as a part of scheduled upkeep.
“This marks at the very least the third occasion of Anatsa focusing its operations on cellular banking clients in the US and Canada,” Dutch cellular safety firm ThreatFabric stated in a report shared with The Hacker Information. “As with earlier campaigns, Anatsa is being distributed by way of the official Google Play Retailer.”
Anatsa, additionally known as TeaBot and Toddler, has been recognized to be energetic since at the very least 2020, sometimes delivered to victims by way of dropper apps.
Early final yr, Anatsa was discovered to have focused Android machine customers in Slovakia, Slovenia, and Czechia by first importing benign apps masquerading as PDF readers and cellphone cleaners to the Play Retailer after which introducing malicious code per week after launch.
Like different Android banking trojans, Anatsa is able to offering its operators with options designed to steal credentials by way of overlay and keylogging assaults, and conduct Machine-Takeover Fraud (DTO) to provoke fraudulent transactions from sufferer’s units.
ThreatFabric stated Anatsa campaigns observe a predictable, however well-oiled, course of that includes establishing a developer profile on the app retailer after which publishing a official app that works as marketed.
“As soon as the appliance positive factors a considerable person base – typically within the hundreds or tens of hundreds of downloads – an replace is deployed, embedding malicious code into the app,” the corporate stated. “This embedded code downloads and installs Anatsa on the machine as a separate software.”
The malware then receives a dynamic record of focused monetary and banking establishments from an exterior server, enabling the attackers to carry out credential theft for account takeover, keylogging, or absolutely automated transactions utilizing DTO.
An important issue that enables Anatsa to evade detection in addition to preserve a excessive success price is its cyclical nature the place the assaults are interspersed by durations of no exercise.
The newly found app concentrating on North American audiences exemplifies this calculated multi-stage technique to ship the banking trojan after a number of weeks after it started to draw hundreds of downloads.
It masquerades as an app known as “Doc Viewer – File Reader” (APK package deal identify: “com.stellarastra.maintainer.astracontrol_managerreadercleaner”) and is printed by a developer named “Hybrid Automobiles Simulator, Drift & Racing.” Each the app and the related developer account are now not accessible on the Play Retailer.
Statistics from Sensor Tower present that the app was first printed on Could 7, 2025, reaching the fourth spot within the “Prime Free – Instruments” class on June 29, 2025. It is estimated to have been downloaded round 90,000 instances.
“This dropper adopted Anatsa’s established modus operandi: initially launched as a official app, it was reworked right into a malicious one roughly six weeks after launch,” ThreatFabric stated. “The distribution window for this marketing campaign was quick but impactful, working from 24 to 30 June.”
The Anatsa variant, per the corporate, can also be configured to focus on a broader set of banking apps in the US, reflective of the malware’s rising give attention to exploiting monetary entities within the area.
One other intelligent function integrated into the malware is its capacity to show a pretend upkeep discover when attempting to entry the goal banking software. This tactic not solely conceals the malicious exercise occurring inside the app, but additionally prevents clients from contacting the financial institution’s assist staff, thereby delaying detection of economic fraud.
“The newest operation not solely broadened its attain but additionally relied on well-established ways aimed toward monetary establishments within the area,” ThreatFabric stated. “Organizations within the monetary sector are inspired to evaluate the supplied intelligence and assess any potential dangers or impacts on their clients and techniques.”
Replace
Following the publication of the story, Google shared the beneath assertion with The Hacker Information –
All of those recognized malicious apps have been faraway from Google Play. Customers are robotically protected by Google Play Defend, which may warn customers or block apps recognized to exhibit malicious habits on Android units with Google Play Companies.
(The story was up to date after publication to incorporate a response from Google.)