Android malware Anatsa infiltrates Google Play targeting banks worldwide

ThreatFabric researchers have discovered a new sophisticated campaign by the Anatsa banking trojan targeting mobile banking users in the U.S. and Canada. This is the malware’s third major attack on North American financial institutions.

The latest campaign marks a serious increase in threats, as cybercriminals have breached the official Google Play Store to distribute malware disguised as real apps. Security researchers have revealed that the malware has surpassed 50,000 downloads prior to its detection and subsequent removal.

Anatsa, or TeaBot, is a sophisticated banking trojan that has been under surveillance by cybersecurity experts since 2020. Researchers at ThreatFabric label the Anatsa group as a leading force in mobile crimeware, highlighting their high success rates in various campaigns. The Anatsa campaign uses a strategic multi-stage method to avoid detection.

Threat actors create fake developer profiles on Google Play and upload harmless-looking apps like PDF readers and phone cleaners. A harmful PDF reader app reached the top three in the US Google Play Store’s “Top Free Tools” just six weeks after its launch. Security analysis shows that Anatsa uses tricky overlay attacks against banking apps.

When victims attempt to access their mobile banking apps, the malware displays fake maintenance messages reading “Scheduled Maintenance: We are currently enhancing our services and will have everything back up and running shortly. Thank you for your patience.”

The malware can now target over 650 banks worldwide, especially in North America, including JP Morgan, Capital One, TD Bank, and Schwab. The brief distribution from June 24-30 shows how operators effectively cause damage while reducing their risk of detection.

Cybersecurity experts are warning financial institutions to promptly inform customers about the dangers of downloading apps from any source, even official app stores.