Connect with us

Hi, what are you looking for?


Malware & Threats

Anatsa Banking Trojan Delivered via Google Play Targets Android Users in US, Europe

Malicious applications with over 30,000 installs in Google Play have infected Android devices with the Anatsa banking trojan.

Android users in at least five countries have been targeted with the Anatsa banking trojan via malicious droppers uploaded to Google Play, threat detection firm ThreatFabric reports.

The identified droppers, which amassed over 30,000 installs via the application store, were designed to make a request to a GitHub page to fetch a URL that would download the final payload, also from GitHub.

The first dropper was discovered in March 2023, posing as a PDF reader application, with the trojan posing as an addon for it.

Google removed the malicious application shortly after being notified, but a second dropper, also posing as a PDF reader and employing the same infection chain, emerged one month later.

After this malicious application was removed, another dropper (also PDF reader) emerged within one month, with two others (both document readers) identified in May and June. In fact, ThreatFabric says, the most recent dropper is still available for download in Google Play.

According to the security firm, each of the identified droppers received an update at one point in time, likely to add malicious functionality to it.

“Our analysis also reveals that the actors can have several apps published in the store at the same time under different developer accounts, however, only one is acting as malicious, while the other is a backup to be used after takedown,” ThreatFabric notes.

Advertisement. Scroll to continue reading.

The ongoing campaign targets banks from US, UK, Germany, Austria, and Switzerland, but the Anatsa trojan’s target list contains over 600 mobile banking applications worldwide.

Users were drawn to the malicious applications via advertisements directing them to Google Play, which likely created a false sense of security.

Using overlays, the malware can steal sensitive information such as credentials, credit card data, and balance and payment information, which threat actors then use to initiate fraudulent transactions, via device-takeover fraud (DTO).

“Since transactions are initiated from the same device that targeted bank customers regularly use, it has been reported that it is very challenging for banking anti-fraud systems to detect them,” ThreatFabic notes.

The security firm, which has been monitoring Anatsa since 2020, also discovered that trojan iterations used in this campaign can target more than 90 new mobile banking applications from Finland, Germany, Singapore, Spain, and South Korea.

“While the droppers are not distributed in all of these countries, it definitely reveals plans to target those regions,” ThreatFabric notes.

Related: New Android Trojans Infected Many Devices in Asia via Google Play, Phishing

Related: ‘Nexus’ Android Trojan Targets 450 Financial Applications

Related: ‘Schoolyard Bully’ Android Trojan Targeted Facebook Credentials of 300,000 Users

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...