A sophisticated Android banking malware campaign has infected 90,000 users in multiple countries, with researchers uncovering that the Anatsa trojan was distributed through a malicious PDF app listed on the official Google Play Store.
Disguised as a Document Viewer
According to a mobile security firm, the trojan was disguised as a legitimate app called Document Viewer – File Reader by a developer named Hybrid Cars Simulator, Drift & Racing. Initially a functional PDF viewer, the app quietly embedded malicious code weeks after launch, turning it into an attack tool.
The app reportedly reached the #4 spot in the “Top Free – Tools” category before Google removed it. Sensor Tower data estimates the app was downloaded about 90,000 times during its brief but impactful campaign between June 24–30, 2025.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
How the Attack Works
Anatsa also known as TeaBot or Toddler is a banking trojan active since 2020, designed to steal credentials, log keystrokes, and even take over devices to perform automated fraudulent transactions.
The attackers follow a repeatable pattern:
- Publish a benign app on Google Play.
- Wait for it to gain thousands of installs and positive reviews.
- Push a malicious update embedding a dropper.
- Install the Anatsa payload on devices silently.
Once installed, Anatsa fetches a list of targeted banks and overlays fake login screens to harvest credentials.
One clever feature in this campaign was the fake maintenance notice shown when victims opened their banking app. This not only masked the attack but also delayed victims from contacting their banks, giving attackers more time to exploit accounts.
Expanding Target in North America
While Anatsa previously targeted banking users in Europe, this campaign marks its third major wave aimed at U.S. and Canadian users, showing a clear shift in focus. Researchers note that the malware’s cyclical activity alternating between quiet and active periods makes it harder to detect.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
What Users and Banks Should Do
If you downloaded Document Viewer – File Reader or apps from suspicious developers, you should:
- Uninstall the app immediately.
- Run a full device scan with a trusted mobile security tool.
- Change your banking and email passwords, and enable two-factor authentication.
- Monitor accounts for unauthorized transactions and report suspicious activity to your bank.
Financial institutions are advised to review the campaign’s indicators of compromise (IoCs) and assess potential risks to their customers.
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.