Google Play Under Siege: Fake PDF App Infected 90K Users with Anatsa Trojan

 



Anatsa Banking Trojan Hits 90,000 Android Users Through Fake PDF App on Google Play

A recent wave of cyberattacks has exposed tens of thousands of Android users in North America to a powerful banking trojan, Anatsa, delivered through a deceptive app posing as a PDF reader on the official Google Play Store.


Fake PDF App, Real Financial Threat

Cybersecurity researchers at ThreatFabric uncovered that the malware campaign revolved around a malicious app called “PDF Update”, which functioned as a document viewer. Once installed, the app secretly deployed the Anatsa trojan — also known as TeaBot or Toddler — to gain access to users’ banking credentials and initiate fraudulent transactions.

When victims attempted to log into their banking apps, Anatsa triggered a fake overlay message mimicking a “scheduled maintenance” notice. This effectively blocked access while the malware worked in the background, harvesting credentials and bypassing user defenses.

Third Time’s a Threat in North America

This marks the third major campaign by Anatsa targeting users in the U.S. and Canada, with previous operations tracing back to at least 2020. The malware has consistently used the Play Store as its distribution channel, sneaking into devices via seemingly legitimate apps before deploying its malicious payload.

"Once the application gains a substantial user base—often tens of thousands of downloads—an update is deployed, embedding malicious code into the app," ThreatFabric noted.

The Dropper Strategy: Hidden in Plain Sight

The recent campaign used a dropper app published under the name “Hybrid Cars Simulator, Drift & Racing,” with the APK titled:

com.stellarastra.maintainer.astracontrol_managerreadercleaner

This app appeared harmless and even reached the #4 spot in Google Play’s “Top Free - Tools” category by June 29, 2025, just weeks after its release on May 7, 2025. However, researchers found that a malicious update was introduced about six weeks later, transforming the clean app into a fully functional banking trojan dropper.

How Anatsa Works

Once active, Anatsa downloads a second-stage payload to:

  • Overlay fake banking login screens

  • Keylog sensitive user input

  • Hijack full control of the device for fraudulent transactions (Device-Takeover Fraud, or DTO)

  • Block communication with banks by faking maintenance notices

To avoid detection, the malware operates in waves, alternating between periods of activity and dormancy.

Targeting Financial Institutions at Scale

This latest Anatsa variant had a broader scope, targeting more U.S. financial institutions than in past campaigns. Its success underscores the increasing sophistication and reach of mobile banking threats.

“The latest operation not only broadened its reach but also relied on well-established tactics aimed at financial institutions in the region,” said ThreatFabric. “Organizations in the financial sector are encouraged to assess the risks and implement necessary defenses.”

By at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Critical Flaws in Ivanti Endpoint Manager Mobile Let Attackers Decrypt User Credentials

  Ivanti Patches High-Severity Vulnerabilities in Endpoint Manager Mobile – Password Decryption & SQL Injection Risks Identified Ivanti ...