Cybersecurity researchers have uncovered a new campaign involving the Anatsa Android banking trojan, which has specifically targeted mobile banking users in North America, including the United States and Canada. This marks at least the third instance of Anatsa focusing on this region, continuing its method of distribution through the official Google Play Store. The malware was disguised as a benign “PDF Update” within a document viewer application, initially functioning legitimately to build a user base before deploying malicious code through an update.
Once installed, Anatsa, also known as TeaBot or Toddler, demonstrates advanced capabilities typical of banking trojans.
It can steal credentials through sophisticated overlay attacks, perform keylogging, and even execute Device-Takeover Fraud (DTO) to initiate unauthorized financial transactions directly from the victim’s device. A key evasion tactic involves displaying a fake “scheduled maintenance” message when users attempt to access their banking apps, effectively concealing the malicious activity and preventing users from immediately contacting their banks.
ThreatFabric, the Dutch mobile security company that reported on this campaign, highlights Anatsa’s well-established modus operandi. This involves creating a developer profile on the Play Store, publishing a seemingly harmless app to gain a significant number of downloads (tens of thousands), and then pushing a malicious update weeks later. This embedded code then downloads and installs the Anatsa malware as a separate application, which subsequently receives a dynamic list of targeted financial institutions from a command-and-control server.
The recent North American campaign utilized an app called “Document Viewer – File Reader,” which was published on May 7, 2025, and accumulated an estimated 90,000 downloads before its removal from the Play Store. Google has since confirmed the removal of all identified malicious apps and stated that Google Play Protect automatically safeguards users by detecting and blocking apps known to exhibit harmful behavior on Android devices with Google Play Services.
Reference:
