Cybersecurity researchers have discovered a campaign of Android banking malware that has operated a Trojan horse named Anatsa to target North America users using malicious applications published on the official Google market.
The malicious software, disguised as “PDF” update “of a document viewer application, was caught by serving a misleading superposition when users try to access their banking application, saying that the service has been temporarily suspended in the context of planned maintenance.
“This marks at least the third instance of Anatsa concentrating its operations on mobile banking customers in the United States and Canada”, the Dutch mobile security company Threatfabric said In a relationship shared with the hacker news. “As for previous campaigns, Anatsa is distributed via the official Google Play Store.”
Anatsa, also called Teabot and Toddie, has been known to be active for at least 2020, generally delivered to victims via drop-off applications.
At the beginning of last year, Anatsa targeted users of the Android device in Slovakia, Slovenia and Czechia by first downloading benign applications pretending to be for PDF players and telephone cleaners on the Play Store, then introducing malware a week after the release.
Like the other Android banking Trojan horses, Anatsa is able to provide its operators with features designed to steal identification information through superposition and Keylogging attacks, and to make device fraud (DTO) to launch fraudulent transactions from the victim’s devices.
Threatfabric said that Anatsa campaigns are following a predictable, but well -oiled process, which involves establishing a developer profile on the App Store, then publishing a legitimate application that works as announced.
“Once the application earns a substantial user base – often in thousands or tens of thousands of downloads – an update is deployed, incorporating a malicious code in the application,” said the company. “This integrated code downloads and installs Anatsa on the device as a separate application.”
Malware then receives a dynamic list of targeted financial and banking institutions from an external server, allowing attackers to make an identification flight for the takeover of the account, keylogging or fully automated transactions using the DTO.
A crucial factor that allows Anatsa to escape detection and maintain a high success rate is its cyclic nature where attacks are interspersed with periods of non-activity.
The newly discovered application targeting the North American public masks as a viewer of documents (name of the APK package: “com.stellarastra.maintainer.Atracontrol_Managerrenercleaner”) and is published by a developer called “Hybrid Cars Simulator, Drift & Racing”. The Associate Developer Application and Account are no longer accessible on the Play Store.
Statistics of the sensor tower to show that the application was published for the first time on May 7, 2025, reaching fourth place in the category “Top Free – Tools” on June 29, 2025. It would have been downloaded about 90,000 times.
“This dropper followed the established Modus Operandi of Anatsa: initially launched as a legitimate application, it was transformed into a maliciousness about six weeks after its release,” said Threatfabric. “The distribution window for this campaign was short but impactful, from June 24 to 30.”
The Anatsa variant, according to the company, is also configured to target a wider set of banking applications in the United States, reflecting the growing accent of malware on the exploitation of financial entities in the region.
Another intelligent feature incorporated into malware is its ability to display a false maintenance notice when you try to access the target banking application. This tactic hides not only the malicious activity occurring in the application, but also prevents customers from contacting the bank’s support team, thus delaying the detection of financial fraud.
“The last operation has not only expanded its scope, but has also relied on well -established tactics for financial institutions in the region,” said Threatfabric. “Financial sector organizations are encouraged to examine the intelligence provided and to assess any potential risk or impact on their customers and systems.”
