
Cybersecurity researchers have discovered an Android banking malware campaign that utilizes a Trojan horse named Anatsa, which targets North American users, using a malicious app published on Google’s official app marketplace.
The malware, which pretends to be a “PDF update” to the document viewer app, provides a deceptive overlay when users try to access the banking application, claiming that the service was temporarily suspended as part of scheduled maintenance.
“This marks at least the third instance where Anatsa focuses its business on mobile banking customers in the US and Canada,” Dutch mobile security company Threatfabric said in a report shared with Hacker News. “Like the previous campaign, Anatsa is distributed through the official Google Play Store.”
Also known as Teabot and Toddlers, Anatsa is known to have been active since at least 2020 and is usually delivered to victims via the Dropper app.

Earlier last year, it was discovered that Anatsa was targeting Android device users from Slovakia, Slovenia and Czechia. This first uploaded a benign app that decorated the PDF reader and phone cleaner in the play store and introduced malicious code a week after its release.
Like other Android Banking Trojans, Anatsa can provide operators with the ability to steal credentials through overlays and keylog attacks, carry out device transaction fraud (DTO) and launch fraudulent transactions from the victim’s device.
ThreatFabric said the Anatsa campaign follows a predictable but well-oiled process, including establishing a developer profile in the App Store and publishing legitimate apps that work according to the ads.
“When an application gains a significant user base, updates are deployed and embed malicious code into the app, often with thousands or tens of thousands of downloads,” the company said. “This built-in code downloads and installs Anatsa as a separate application on your device.”
Malware receives a dynamic list of targeted financial and banking institutions from external servers, allowing attackers to perform account acquisitions, key logs, or fully automated transaction entitlement theft.

An important factor that allows Anatsa to avoid detection and maintain a high success rate is the cyclical nature of attacks scattered across periods of NO activity.
The newly discovered app targeting North American audiences is equipped with a document viewer (apk package name: “com.stellarastra.astracontrol_managerreadercleaner”) and is published by a developer named “Hybrid Car Simulator, Drift & Racing.” Both the app and associated developer accounts are no longer accessible in the Playback Store.
According to Sensor Tower statistics, the app was first published on May 7, 2025 and reached the fourth spot in the “Top Free -Tools” category on June 29, 2025. It is estimated that it has been downloaded about 90,000 times.
“The dropper followed Anatsa’s established Modus Operandi. It was originally launched as a legal app, but it was converted to malicious about six weeks after its release,” says Threatfabric. “The campaign’s distribution window was short but influential and ran from June 24th to 30th.”

The Anatsa variant is configured to target a broader set of banking apps in the US, reflecting the malware’s focus on leveraging regional financial entities, according to the company.
Another clever feature built into malware is the ability to display fake maintenance notifications when trying to access a target banking application. This tactic not only hides malicious activities that occur within the app, but also prevents customers from contacting the bank’s support team, thereby delaying detection of financial fraud.
“The latest business relied on established tactics targeting local financial institutions as well as expanding its reach,” Threatfabric said. “Organisations in the financial sector are encouraged to review the intelligence provided and assess potential risks or impacts on customers and systems.”
Source link