The malicious app, masked as a “Document Viewer – File Reader,” gained traction in the U. S. top‑three list for free tools before being weaponised roughly six weeks after its initial May release. Downloads reached at least 50,000 before Google removed the app in early July.
Anatsa’s operators employ a proven two‑stage infiltration tactic: a benign‑looking utility app is first published, allowed to amass users, then updated to include a dropper that silently installs the trojan. Once deployed, Anatsa connects to a command‑and‑control server to retrieve configuration files listing targeted banking apps.
The malware is capable of credential harvesting through keystroke logging and overlay screens, and can perform automated device‑takeover fraud. A newly identified overlay message reads, “Scheduled Maintenance … enhancing our services,” blocking customer access to banking apps and delaying detection.
This campaign is noteworthy for its expanded U. S. bank target list. ThreatFabric has confirmed the inclusion of major institutions such as JPMorgan, Capital One, TD Bank and Charles Schwab in the trojan’s hit‑list.
Analysts warn that Anatsa’s operators are evolving their methods. Cequence CISO Randolph Barr anticipates future variants may use “AI‑personalised overlays” to bypass multi‑factor authentication or employ real‑time modular payloads loaded post‑installation.
This campaign parallels earlier Anatsa outbreaks: one in mid‑2024 affected around 70,000 users in Europe by mimicking QR code and PDF reader apps, and June 2023 saw North American infections of approximately 30,000.
Google has removed the fraudulent app and Play Protect has flagged similar threats. Users are urged to uninstall the Document Viewer–style app, run full scans via Play Protect, and reset any banking credentials.
Experts recommend cautious scrutiny of app permissions, developer credentials, and user reviews—even for apps from official stores. Financial institutions are advised to intensify monitoring of anomalous login activity and deploy alerts for account takeover patterns.
Mobile banking continues to lure sophisticated trojans like Anatsa. As its operators refine their techniques and broaden geographic targeting, both end users and institutions face growing responsibility to defend against a landscape where even official marketplaces are not fool‑proof.
