The Anatsa banking Trojan has once again found its way onto Google Play, this time disguised as an innocent PDF viewer that had already been downloaded more than 50,000 times.
Once the app is installed, the malware activates immediately and starts doing its dirty work: it detects when you open a banking app, shows you a fake screen that mimics the original, and, without you noticing, can steal your credentials, record what you type, and even perform transactions automatically. All of this is aimed primarily at users in North America.
Anatsa malware on Android hides its activity with fake messages in banking apps
In its latest campaign, the Anatsa malware is using a rather deceptive tactic to go unnoticed: when it detects that you open a banking app on your device, it displays a fake message informing you of alleged “system maintenance.”
This warning appears right above the bank app interface, blocking the user's view and hiding the malicious activity occurring in the background. Meanwhile, the malware continues to operate without interruption: it can steal your credentials, access your accounts, or even initiate transfers without you noticing. In addition, this trick also prevents many users from contacting their bank or checking their balance in time to detect suspicious activity.
This is not the first time Anatsa has managed to infiltrate Google Play. In previous campaigns, it has disguised itself as useful applications such as document viewers, PDF readers, or QR code scanning apps. On several occasions, these fake apps have achieved tens or even hundreds of thousands of downloads before being removed from the store.
In one of its latest appearances, Anatsa was hiding behind an app called “Document Viewer – File Reader,” presented as a legitimate tool and published by a seemingly harmless developer. However, once installed, it began to execute its malicious payload in the background. Along with other similar apps, these recent campaigns have accumulated more than 70,000 installations in a very short time.
The pattern is clear: attackers rely on generic names and seemingly useful features to lower users' guard. Once the app is installed, the malware springs into action without raising suspicion, and by then it's too late.
Application on Google Play that Anatsa delivered to its users (Source: ThreatFabric)
Read more: New TapTrap Attack Deceives Android Users
How Anatsa malware activates after a false sense of security
One of the most cunning tactics behind Anatsa banking malware is that it does not reveal its malicious side from the outset. The app that contains it launches as if it were completely legitimate: no suspicious behavior, no strange permissions, no alerts. Everything seems normal.
The reason? The attackers behind Anatsa wait for the app to gain traction and get thousands of downloads. Only when it has a solid base of active users do they release an update that includes the malicious code, which downloads and installs the real Trojan from a remote server. This is how Anatsa springs into action without raising suspicion at first.
Once active on the device, the malware connects to its command and control (C2) server, which sends it a list of specific banking apps to monitor. From that point on, it can intercept data, steal credentials, and even automate banking operations without the user noticing.
In its most recent campaign, Anatsa began infecting devices between June 24 and 30, about six weeks after the app was published on Google Play. Fortunately, Google has already removed the malicious application, but that does not mean the risk has disappeared.
Did you download this app? Here's what you should do:
If you recently installed a suspicious app (such as a PDF reader or a little-known productivity tool), we recommend the following:
-
Uninstall the app immediately.
-
Run a full scan of your device with Google Play Protect.
-
Change your passwords, especially those for your bank accounts or any financial apps.
Read more: How to Keep Your Phone Safe Even Without Updates
How to protect yourself from future Anatsa infections?
Anatsa has proven that it can infiltrate Google Play time and time again, so it's not enough to trust that official apps are always safe. Here are some key tips to keep your device protected:
-
Only download apps from known or verified developers.
-
Check reviews from other users before installing any app.
-
Pay attention to the permissions an app requests, especially if it asks for access to features it doesn't need.
-
Keep your phone as clean as possible: fewer apps, less risk.
A Google spokesperson commented that all identified malicious apps have been removed from Google Play, and that users are automatically protected by Google Play Protect, which can warn or block apps that exhibit dangerous behavior on updated Android devices.