The Anatsa banking trojan has resurfaced on the Google Play Store, this time hiding inside a fake PDF viewer app called “Document Viewer – File Reader”, published by Hybrid Cars Simulator, Drift & Racing.

Before being taken down by Google, the malicious app was downloaded more than 50,000 times.

According to security researchers at Threat Fabric, the malware becomes active as soon as the app is installed. It monitors when users open North American banking apps, then displays a fake “scheduled maintenance” message over the app’s interface. This allows the malware to run unnoticed in the background, logging keystrokes, stealing credentials, and even automating fraudulent transactions.

The tactic follows a pattern previously used by Anatsa operators—keeping the app clean until it gains popularity, then introducing a malicious update. That update downloads the trojan payload from a remote server, installs it as a separate app, and connects to a command-and-control server to receive instructions and a list of targeted banking apps. In this case, the app began delivering the malicious code between June 24 and June 30, about six weeks after its initial release.

Threat Fabric has tracked several similar campaigns over the years. In November 2021, one Anatsa campaign reached 300,000 downloads. Others in June 2023 and February 2024 reached 30,000 and 150,000 downloads, respectively. In May 2024, two other apps posing as PDF and QR readers delivered Anatsa to 70,000 users.

A Google spokesperson confirmed the app has been removed and stated, “Users are automatically protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.”


Buy ExpressVPN with PayPal or Credit Card
READ
China Could Trigger Massive Blackouts Across Europe Through Solar Inverters, Report Warns

Users who installed the app are advised to uninstall it immediately, scan their device using Play Protect, and reset their banking credentials. To stay safe, only install apps from trusted developers, review app permissions carefully, and limit unnecessary apps on your device.

Advertisement