Android malware Anatsa infiltrates Google Play to target US banks

The Anatsa banking trojan has sneaked into Google Play once more via an app posing as a PDF viewer that counted more than 50,000 downloads.

The malware becomes active on the device immediately after installing the app, tracking users launching North American banking apps and serving them an overlay that allows accessing the account, keylogging, or automating transactions.

According to Threat Fabric researchers who spotted the latest campaign and reported it to Google, Anatsa shows users a fake message when they open the targeted apps, informing of a scheduled banking system maintenance.

The notification is displayed on top of the banking app’s UI, obscuring the malware’s activity in the background and preventing victims from contacting their bank or checking their accounts for unauthorized transactions.

Threat Fabric has been tracking Anatsa on Google Play for years, uncovering multiple infiltrations under fake or trojanized utility and productivity tools.

A campaign uncovered in November 2021 achieved 300,000 downloads, another exposed in June 2023 had 30,000 downloads, and another one disclosed in February 2024 reached 150,000 downloads.

In May 2024, mobile security firm Zscaler reported that Anatsa had achieved yet another infiltration on Android’s official app store, with two apps posing as a PDF reader and a QR reader, collectively amassing 70,000 downloads.

The Anatsa app that Threat Fabric discovered on Google Play this time is ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing.’

The researchers report that this app follows a sneaky tactic Anatsa operators demonstrated in previous cases too, where they keep the app “clean” until it gains a substantial userbase.

Once the app becomes sufficiently popular, they introduce malicious code via an update that fetches an Anatsa payload from a remote server and installs it as a separate application.

Then, Anatsa connects to the command-and-control (C2) and receives a list of targeted apps to monitor for on the infected device.

The latest Anatsa app delivered the trojan between June 24 and 30, six weeks after its initial release on the store.

Google has since removed the malicious app from the store.

If you installed the app, it is recommended that you uninstall it immediately, run a full system scan using Play Protect, and reset your banking account credentials.

Anatsa periodically finds ways to infiltrate Google Play, so users should only trust apps from reputable publishers, check user reviews, pay attention to the requested permissions, and keep the number of installed apps on your device at the necessary minimum.