Warning: Anatsa Banking Trojan Hits 90,000 Android Users Via Google Play
Malicious software has once again surfaced on the official Google Play Store, masquerading as an innocuous utility. This time, the campaign targeted North America, where the Android banking trojan known as Anatsa—also referred to as TeaBot or Toddler—infected nearly 90,000 users by disguising itself as a PDF document viewer update.
The subterfuge was executed with remarkable sophistication. The app, named Document Viewer and bearing the package ID com.stellarastra.maintainer.astracontrol_managerreadercleaner, was purportedly developed by “Hybrid Cars Simulator, Drift & Racing.” At first, it performed its stated functions without raising suspicion, enabling it to gain traction and eventually rank fourth in the “Top Free — Tools” category by late June. However, six weeks after its debut, the app received an update embedding a malicious module that covertly downloaded the Anatsa trojan onto user devices.
Anatsa is engineered to steal sensitive banking credentials. Upon installation, it connects to an external command-and-control server to fetch a list of financial institutions to be targeted. It then enters the attack phase: when a user opens a banking app, Anatsa overlays a fake maintenance notification. While the victim waits for the supposed maintenance to conclude, the malware silently intercepts login credentials, logs keystrokes, and can even execute fraudulent transactions directly from the compromised device using a method known as Device-Takeover Fraud (DTO).
According to researchers at ThreatFabric, the operation follows a well-rehearsed playbook first observed in 2020: a developer profile is created, a legitimate app is published and allowed to accumulate a substantial number of installs, after which a malicious update is released. This strategy enables the trojan to infiltrate devices while evading Google’s default security checks.
What makes Anatsa particularly insidious is its intermittent dormancy. This cyclical behavior allows it to evade detection systems and complicates forensic analysis. The tactic’s effectiveness is evidenced by its global footprint—previous campaigns have spanned from Slovakia to Canada—and the fact that the malware is once again being disseminated through Google Play, rather than third-party sources.
Sensor Tower reports indicate that the infected app was downloaded approximately 90,000 times, with active distribution lasting just one week, from June 24 to June 30. Despite the short timeframe, the damage was considerable: the trojan was able to target an expanded list of banking applications in the United States, significantly increasing the scale of financial fraud.
A particularly deceptive element of this attack was the use of fake maintenance messages, which not only diverted the user’s attention but also delayed any attempt to contact bank support, buying attackers more time to manipulate financial assets.
Given the scale of the compromise, ThreatFabric underscores the urgent need for financial institutions to assess their exposure and take proactive measures to shield their customers from further attacks.