Cybersecurity researchers have found an Android banking malware marketing campaign that has leveraged a trojan named Anatsa to focus on customers in North America utilizing malicious apps printed on Google’s official app market.
The malware, disguised as a “PDF Replace” to a doc viewer app, has been caught serving a misleading overlay when customers try and entry their banking software, claiming the service has been quickly suspended as a part of scheduled upkeep.
“This marks at the least the third occasion of Anatsa focusing its operations on cellular banking clients in the US and Canada,” Dutch cellular safety firm ThreatFabric mentioned in a report shared with The Hacker Information. “As with earlier campaigns, Anatsa is being distributed by way of the official Google Play Retailer.”
Anatsa, additionally known as TeaBot and Toddler, has been recognized to be energetic since at the least 2020, sometimes delivered to victims by way of dropper apps.
Early final 12 months, Anatsa was discovered to have focused Android system customers in Slovakia, Slovenia, and Czechia by first importing benign apps masquerading as PDF readers and cellphone cleaners to the Play Retailer after which introducing malicious code per week after launch.
Like different Android banking trojans, Anatsa is able to offering its operators with options designed to steal credentials by overlay and keylogging assaults, and conduct System-Takeover Fraud (DTO) to provoke fraudulent transactions from sufferer’s units.
ThreatFabric mentioned Anatsa campaigns comply with a predictable, however well-oiled, course of that includes establishing a developer profile on the app retailer after which publishing a official app that works as marketed.
“As soon as the appliance positive factors a considerable person base – typically within the hundreds or tens of hundreds of downloads – an replace is deployed, embedding malicious code into the app,” the corporate mentioned. “This embedded code downloads and installs Anatsa on the system as a separate software.”
The malware then receives a dynamic record of focused monetary and banking establishments from an exterior server, enabling the attackers to carry out credential theft for account takeover, keylogging, or totally automated transactions utilizing DTO.
An important issue that permits Anatsa to evade detection in addition to keep a excessive success charge is its cyclical nature the place the assaults are interspersed by durations of no exercise.
The newly found app focusing on North American audiences masquerades as a Doc Viewer (APK package deal identify: “com.stellarastra.maintainer.astracontrol_managerreadercleaner”) and is printed by a developer named “Hybrid Vehicles Simulator, Drift & Racing.” Each the app and the related developer account are now not accessible on the Play Retailer.
Statistics from Sensor Tower present that the app was first printed on Might 7, 2025, reaching the fourth spot within the “Prime Free – Instruments” class on June 29, 2025. It is estimated to have been downloaded round 90,000 occasions.
“This dropper adopted Anatsa’s established modus operandi: initially launched as a official app, it was remodeled right into a malicious one roughly six weeks after launch,” ThreatFabric mentioned. “The distribution window for this marketing campaign was quick but impactful, working from 24 to 30 June.”
The Anatsa variant, per the corporate, can be configured to focus on a broader set of banking apps in the US, reflective of the malware’s rising deal with exploiting monetary entities within the area.
One other intelligent function included into the malware is its skill to show a pretend upkeep discover when making an attempt to entry the goal banking software. This tactic not solely conceals the malicious exercise occurring inside the app, but in addition prevents clients from contacting the financial institution’s assist crew, thereby delaying detection of economic fraud.
“The newest operation not solely broadened its attain but in addition relied on well-established ways geared toward monetary establishments within the area,” ThreatFabric mentioned. “Organizations within the monetary sector are inspired to evaluate the supplied intelligence and assess any potential dangers or impacts on their clients and programs.”
