Anatsa Android Banking Malware from Google Play Targeting Users in the U.S. and Canada

ThreatFabric researchers have identified a sophisticated new campaign by the Anatsa banking trojan specifically targeting mobile banking customers across the United States and Canada, marking the malware’s third major offensive against North American financial institutions. The latest campaign represents a significant escalation in the threat landscape, with cybercriminals successfully infiltrating the official Google Play Store to distribute their malicious payload disguised as legitimate applications. Security researchers report that the malware has already achieved over 50,000 downloads before detection and removal.

Sophisticated Device Takeover Capabilities Anatsa, also known as TeaBot, is a highly sophisticated banking trojan that has been actively monitored by cybersecurity experts since 2020. The malware specializes in device takeover attacks, enabling cybercriminals to steal banking credentials through overlay attacks, log keystrokes, and execute fraudulent transactions directly from infected devices. ThreatFabric researchers classify the group behind Anatsa as “one of the most prolific operators in the mobile crimeware landscape,” noting their consistently high success rates across multiple campaigns. The Anatsa campaign follows a calculated multi-stage approach designed to evade detection. Threat actors first establish legitimate developer profiles on Google Play and upload seemingly benign applications such as PDF readers, phone cleaners, or file managers.