The Anatsa banking trojan has infiltrated Google Play once again, this time by posing as a PDF viewer app that has garnered over 50,000 downloads. Security researchers at Threat Fabric reported that the malware activates as soon as the app is installed, enabling it to track users of North American banking applications and display a deceptive overlay that allows unauthorized access to user accounts.
Victims of the trojan encounter a false notification suggesting banking system maintenance when they open targeted apps. This message is layered over the legitimate application, effectively obscuring the malware’s activities and making it difficult for users to notice any unauthorized transactions or to reach out to their banks.
Threat Fabric has been monitoring Anatsa for several years, documenting its various infiltrations under the guise of utility and productivity applications. Previous campaigns have resulted in considerable downloads, with a notable incident in November 2021 accounting for 300,000 downloads. Another wave of attacks uncovered in February 2024 saw Anatsa downloaded 150,000 times.
In May 2024, Zscaler confirmed another breach, this time with two compromised apps masquerading as a PDF reader and a QR scanner, which together accumulated 70,000 downloads. The compromised app, found this time on Google Play, known as ‘Document Viewer – File Reader’ by ‘Hybrid Cars Simulator, Drift & Racing,’ was later removed by Google following this detection.
The Anatsa operators have adopted a deceptive strategy, keeping the app clean initially to build a user base before introducing malware through updates. For users who installed the infected app, it is strongly advised to uninstall it immediately, perform a full system scan with Google Play Protect, and reset banking credentials to secure their accounts. Consumers are reminded to exercise caution when downloading apps from unofficial sources and always verify the credibility of app publishers.