Anatsa banking trojan Archives

AppWizard

August 26, 2025

77 Malicious Android Apps With 19M Installs Targeted 831 Banks Worldwide

Zscaler’s ThreatLabz team identified 77 malicious applications on the Google Play Store with over 19 million installations, which target financial institutions and compromise user data. A new variant of the Anatsa banking trojan, also known as TeaBot, now targets over 831 banks globally, up from 650, and has expanded its reach to countries like Germany and South Korea. Many of these apps disguise themselves as document readers, with some exceeding 50,000 downloads. The malware downloads the Anatsa payload after installation and uses Android’s Accessibility Services to automate malicious activities, including stealing financial information and facilitating fraudulent transactions. The malware employs techniques to evade detection, such as obfuscating its code and using corrupted ZIP archives. The most prevalent Android malware identified was Joker, found in nearly 25% of the analyzed applications, known for stealing contacts and device data. A smaller subset of apps contained “maskware,” which engages in credential theft and personal data collection.

AppWizard

August 26, 2025

Dangerous Android banking trojan found lurking in malicious apps with 19 million installs — don’t fall for this

Zscaler’s ThreatLabs team discovered 77 malicious applications on the Google Play Store that accumulated 19 million downloads. These apps, disguised as utilities like PDF readers and flashlight tools, used fake reviews and misleading ads to attract users. Upon installation, they would download a malicious payload, including the Anatsa banking trojan, which overlays fake login screens to steal user credentials. Additionally, the Joker malware was found in 25% of these apps, capable of taking screenshots, accessing device information, and signing users up for premium services without consent. Users are advised to limit app installations, scrutinize reviews, activate Google Play Protect, and consider antivirus applications for enhanced security against malware.

AppWizard

August 25, 2025

Malicious Android apps with 19M installs removed from Google Play

Zscaler's ThreatLabs team discovered 77 malicious Android applications on Google Play that collectively garnered over 19 million downloads. The Anatsa (Tea Bot) banking trojan was identified as the main threat, evolving to target 831 banking and cryptocurrency apps. More than 66% of the malicious apps contained adware, while nearly 25% were infected with Joker malware, which can perform intrusive actions like sending texts and accessing sensitive information. A variant of Joker, named Harly, disguises itself within legitimate applications. Anatsa employs various evasion tactics, including using a decoy app to download its payload post-installation and altering package names to complicate detection. Following the findings, Google removed the identified malicious apps from the Play Store, and users are advised to ensure their Play Protect service is active and to take precautions if infected.

AppWizard

July 9, 2025

Android malware Anatsa infiltrates Google Play to target US banks

The Anatsa banking trojan has reappeared on Google Play as a PDF viewer app, accumulating over 50,000 downloads. It activates upon installation, targeting North American banking applications by presenting an overlay that allows unauthorized access, keylogging, and transaction automation. Researchers from Threat Fabric discovered that the app displays a fake notification about banking system maintenance to mask its activities. Anatsa has a history of infiltrating Google Play through various trojanized applications, with previous campaigns resulting in 300,000 downloads in November 2021, 30,000 in June 2023, and 150,000 in February 2024. In May 2024, Zscaler reported two new Anatsa applications on Google Play, achieving 70,000 downloads. The specific app identified is ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing,’ which maintains a “clean” appearance until it builds a user base, after which malicious code is introduced via an update. Anatsa connects to a command-and-control server to monitor targeted applications. Google has removed the malicious app, advising users to uninstall it, scan their devices, and reset banking credentials. Users are encouraged to download apps only from reputable publishers and be cautious with permissions and reviews. Google Play Protect automatically protects users from known malicious apps.

AppWizard

March 6, 2025

Android App With 220,000+ Downloads From Google Play Installs Banking Trojan

A sophisticated Android banking trojan campaign, known as Anatsa or TeaBot, has been downloaded over 220,000 times from the Google Play Store before its removal. The malware targets global financial institutions using a multi-stage infection process, deploying fake login overlays and exploiting accessibility services to steal user credentials and perform unauthorized transactions. The malicious app disguised itself as a "File Manager and Document Reader" and acted as a dropper, retrieving additional payloads from remote servers. It uses reflection-based code execution to evade detection and conducts anti-emulation checks to confirm it is on a genuine device. Anatsa requests critical permissions, including accessibility services and SMS access, to log keystrokes and bypass two-factor authentication. The campaign primarily targets users in Europe, especially Slovakia, Slovenia, and Czechia, but has the potential to expand to markets like the U.S., South Korea, and Singapore. It targets over 600 banking and cryptocurrency applications, enabling on-device fraud through automated transaction systems. Users are advised to avoid sideloading apps, audit app permissions, and monitor for updates from official stores. Google has removed the identified dropper, but similar threats persist. Indicators of compromise include specific network URLs and an MD5 hash for a sample.

AppWizard

March 6, 2025

Malicious Android App on Google Play Compromises 220,000+ Devices

Security researchers at ThreatLabz have identified a malware campaign operating through the Google Play Store that disseminated the Anatsa banking trojan, also known as TeaBot. The malicious app, disguised as a file manager and document reader, was downloaded over 220,000 times before its removal. The app initiated a multi-stage payload retrieval process after users granted accessibility permissions, allowing it to download the Anatsa payload and turn infected devices into tools for financial fraud. Anatsa uses overlay attacks and credential harvesting techniques, displaying fake login screens for banking applications to capture user credentials. It targets financial institutions across North America, Europe, and Asia, particularly mobile banking platforms. The malware employs evasion techniques, including delayed activation and encrypted communication, and maintains persistence by checking for accessibility service permissions. Initial data indicates concentrated infections in regions with high mobile banking usage, and the app's multilingual interface suggests a global targeting strategy. Google removed the app within 48 hours of the disclosure but it had been present for approximately eight weeks before detection. Google has initiated a mass uninstallation campaign for affected devices, while users are advised to perform factory resets, monitor financial accounts, enable Google Play Protect, and avoid granting permissions to unfamiliar apps. Investigations are ongoing to identify the threat actors, with links to Eastern European cybercrime syndicates suggested.

AppWizard

July 5, 2024

New Google Play Store Warning As Dangerous Threat Returns

Google's Play Store is facing a reappearance of dangerous malware known as Anatsa, a banking trojan that steals financial information. Despite previous assurances from Google about removing malicious apps, Anatsa has resurfaced disguised as a QR reader and file manager. Users are advised to stick to official app stores, check developers and reviews, avoid unnecessary permissions, avoid clicking on links for app downloads, and be cautious with installing apps linked to popular ones.

AppWizard

June 4, 2024

THESE Android apps are stealing money from your bank account

Ansta virus is attacking Android users' bank accounts through dangerous apps available on Google's Play Store.

AppWizard

June 3, 2024

Anatsa banking Trojan plagues Android apps

Anatsa is a sophisticated threat to Android apps, particularly e-banking security. It has breached Google Play, resulting in at least 150,000 infiltrations via deceptive apps. Anatsa uses persistent evasion strategies, including a four-stage payload uploading process, to remain undetected while harvesting information. Users can protect themselves by downloading apps from trusted sources, maintaining regular device software updates, and utilizing dependable security software.

AppWizard

May 30, 2024

Nearly 100 malicious apps with 5.5 million installs spreading malware on Play Store — protect yourself now

- Cybersecurity experts have identified over 90 malicious apps on the Google Play Store, downloaded 5.5 million times. - Two particularly dangerous apps, PDF Reader & File Manager by TSARKA Watchfaces and QR Reader & File Manager by risovanul, have been highlighted and should be immediately uninstalled. - These apps were used to distribute the Anatsa banking trojan, targeting over 650 banking applications worldwide. - To stay safe from malicious apps, users should be selective about the apps they install, consider reputable developers, opt for paid apps, scrutinize ratings and reviews, enable Google Play Protect, and consider using Android antivirus apps.