Anatsa Android Banking Malware from Google Play Targeting Users in the U.S. and Canada

ThreatFabric researchers have identified a sophisticated new campaign by the Anatsa banking trojan specifically targeting mobile banking customers across the United States and Canada, marking the malware’s third major offensive against North American financial institutions.

The latest campaign represents a significant escalation in the threat landscape, with cybercriminals successfully infiltrating the official Google Play Store to distribute their malicious payload disguised as legitimate applications.

Security researchers report that the malware has already achieved over 50,000 downloads before detection and removal.

Sophisticated Device Takeover Capabilities

Anatsa, also known as TeaBot, is a highly sophisticated banking trojan that has been actively monitored by cybersecurity experts since 2020.

The malware specializes in device takeover attacks, enabling cybercriminals to steal banking credentials through overlay attacks, log keystrokes, and execute fraudulent transactions directly from infected devices.

ThreatFabric researchers classify the group behind Anatsa as “one of the most prolific operators in the mobile crimeware landscape,” noting their consistently high success rates across multiple campaigns. The Anatsa campaign follows a calculated multi-stage approach designed to evade detection.

Threat actors first establish legitimate developer profiles on Google Play and upload seemingly benign applications such as PDF readers, phone cleaners, or file managers.

These applications function normally for weeks or months, building substantial user bases before malicious updates are deployed. The latest North American campaign exemplifies this strategy.

A malicious PDF reader application climbed to the top three in the “Top Free Tools” category on the US Google Play Store before being weaponized approximately six weeks after its initial release.

Security analysis reveals that Anatsa employs particularly deceptive overlay attacks targeting banking applications.

When victims attempt to access their mobile banking apps, the malware displays fake maintenance messages reading “Scheduled Maintenance: We are currently enhancing our services and will have everything back up and running shortly. Thank you for your patience.”

This tactic serves dual purposes: concealing malicious activity while preventing users from contacting legitimate customer support, thereby delaying detection of fraudulent operations.

Expanding Target List and Geographic Reach

The current campaign demonstrates Anatsa’s expanding ambitions, with researchers noting a broader target list encompassing a wider range of US mobile banking applications.

The malware can now target over 650 financial institutions worldwide, with particular focus on major North American banks including JP Morgan, Capital One, TD Bank, and Schwab.

The short but impactful distribution window from June 24-30 highlights the operators’ ability to maximize damage while minimizing exposure to security countermeasures.

Cybersecurity experts are urging financial institutions to immediately alert customers about the risks of downloading applications from any source, including official app stores.

Organizations are advised to implement enhanced monitoring for unusual customer account activity and educate users about the dangers of granting accessibility service permissions to unnecessary applications.

The Anatsa campaign underscores the evolving threat landscape facing mobile banking customers, demonstrating that even official app stores cannot guarantee complete protection against sophisticated malware operations targeting financial assets.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now