banking Trojan Archives

AppWizard

July 9, 2025

Dangerous Android malware targets US banking apps – 50,000 people already affected, make sure you’re not next

A PDF reader app for Android, 'Document Viewer – File Reader', has been found to contain a banking trojan called Anatsa, introduced through a patch six weeks after its release. The app, published by 'Hybrid Cars Simulator, Drift & Racing', has over 50,000 downloads and specifically targets North American banking applications. Security researchers have noted a history of similar threats, with previous trojanized apps having significant download numbers. The Anatsa trojan scans for North American banking apps and overlays a deceptive interface to steal user credentials. Google has removed the app from the Play Store and advises users to uninstall it, conduct a system scan, and reset banking credentials. Google Play Protect provides automatic protection against malicious apps.

AppWizard

July 9, 2025

Android malware Anatsa infiltrates Google Play to target US banks

The Anatsa banking trojan has reappeared on Google Play as a PDF viewer app, accumulating over 50,000 downloads. It activates upon installation, targeting North American banking applications by presenting an overlay that allows unauthorized access, keylogging, and transaction automation. Researchers from Threat Fabric discovered that the app displays a fake notification about banking system maintenance to mask its activities. Anatsa has a history of infiltrating Google Play through various trojanized applications, with previous campaigns resulting in 300,000 downloads in November 2021, 30,000 in June 2023, and 150,000 in February 2024. In May 2024, Zscaler reported two new Anatsa applications on Google Play, achieving 70,000 downloads. The specific app identified is ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing,’ which maintains a “clean” appearance until it builds a user base, after which malicious code is introduced via an update. Anatsa connects to a command-and-control server to monitor targeted applications. Google has removed the malicious app, advising users to uninstall it, scan their devices, and reset banking credentials. Users are encouraged to download apps only from reputable publishers and be cautious with permissions and reviews. Google Play Protect automatically protects users from known malicious apps.

AppWizard

June 17, 2025

android users malware stay alert

A new strain of malware called "Crocodilus" is targeting Android users, designed to steal funds. It spreads through advertisements on social media that entice users to download an app with promises of rewards. Once installed, the malware can modify the user's contact list, adding numbers under trustworthy names like "Bank Support" to deceive victims. Security experts from Threat Fabric warn that this malware represents a significant threat and recommend that users only download apps from trusted sources like the Google Play Store, and to verify app developer credentials and user reviews before installation.

AppWizard

March 6, 2025

Android App With 220,000+ Downloads From Google Play Installs Banking Trojan

A sophisticated Android banking trojan campaign, known as Anatsa or TeaBot, has been downloaded over 220,000 times from the Google Play Store before its removal. The malware targets global financial institutions using a multi-stage infection process, deploying fake login overlays and exploiting accessibility services to steal user credentials and perform unauthorized transactions. The malicious app disguised itself as a "File Manager and Document Reader" and acted as a dropper, retrieving additional payloads from remote servers. It uses reflection-based code execution to evade detection and conducts anti-emulation checks to confirm it is on a genuine device. Anatsa requests critical permissions, including accessibility services and SMS access, to log keystrokes and bypass two-factor authentication. The campaign primarily targets users in Europe, especially Slovakia, Slovenia, and Czechia, but has the potential to expand to markets like the U.S., South Korea, and Singapore. It targets over 600 banking and cryptocurrency applications, enabling on-device fraud through automated transaction systems. Users are advised to avoid sideloading apps, audit app permissions, and monitor for updates from official stores. Google has removed the identified dropper, but similar threats persist. Indicators of compromise include specific network URLs and an MD5 hash for a sample.

AppWizard

March 6, 2025

Malicious Android App on Google Play Compromises 220,000+ Devices

Security researchers at ThreatLabz have identified a malware campaign operating through the Google Play Store that disseminated the Anatsa banking trojan, also known as TeaBot. The malicious app, disguised as a file manager and document reader, was downloaded over 220,000 times before its removal. The app initiated a multi-stage payload retrieval process after users granted accessibility permissions, allowing it to download the Anatsa payload and turn infected devices into tools for financial fraud. Anatsa uses overlay attacks and credential harvesting techniques, displaying fake login screens for banking applications to capture user credentials. It targets financial institutions across North America, Europe, and Asia, particularly mobile banking platforms. The malware employs evasion techniques, including delayed activation and encrypted communication, and maintains persistence by checking for accessibility service permissions. Initial data indicates concentrated infections in regions with high mobile banking usage, and the app's multilingual interface suggests a global targeting strategy. Google removed the app within 48 hours of the disclosure but it had been present for approximately eight weeks before detection. Google has initiated a mass uninstallation campaign for affected devices, while users are advised to perform factory resets, monitor financial accounts, enable Google Play Protect, and avoid granting permissions to unfamiliar apps. Investigations are ongoing to identify the threat actors, with links to Eastern European cybercrime syndicates suggested.

Tech Optimizer

February 3, 2025

Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files

FortiGuard Labs has raised an alarm about the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users, particularly in Brazil. Researchers discovered malicious LNK files that use PowerShell commands to execute scripts and connect to remote servers, initiating a multi-stage attack aimed at extracting sensitive information from over 70 financial applications and more than 1,000 websites. The attack begins with an LNK file that triggers a PowerShell command to download and execute additional malicious scripts. The malware employs loaders, shellcode, and Windows registry modifications, with a DLL file named “bmwiMcDec” injecting payloads into processes. It gathers system information and transmits it to remote servers, while the main payload enables keylogging, screenshot capture, phishing overlays, and window manipulation. The Coyote Trojan communicates with command-and-control servers via port 443 and adapts its actions based on server directives. Fortinet's security solutions, including FortiGuard Antivirus and Web Filtering Service, can detect and block threats associated with this malware. Users are advised to keep security systems updated and engage in cybersecurity training.

AppWizard

February 2, 2025

More than 90 Google Play Android apps identified with malware that steals your banking information – many already affected (5.5 million downloads)

Over 90 malicious Android applications were found on Google Play, including the banking trojan Anatsa, which has contributed to 5.5 million downloads across these apps. Google removed the identified apps from the Play Store after the report, which highlighted that Anatsa targets over 650 financial institutions. Two infected apps, disguised as PDF and QR code readers, had over 70,000 downloads before being reported. Anatsa operates stealthily, stealing banking information while appearing as benign applications. Other malware threats on Google Play include Joker, Facestealer, and Coper. Users are advised to be cautious when downloading apps and to scrutinize requested permissions. The two Anatsa-infected apps are no longer available, and the developers have been banned. Google Play Protect helps safeguard users by removing known malicious apps.

AppWizard

November 8, 2024

Godfather Is A Risk To Android Users Worldwide As 500 Apps Targeted

A new variant of the Godfather banking trojan is targeting over 500 Android banking and cryptocurrency applications globally. Initially focused in the U.S., U.K., and Europe, its reach has expanded to countries including Azerbaijan, Greece, Japan, and Singapore. The malware has transitioned from Java to native code, enhancing its ability to exploit Android’s accessibility services and mimic user actions through gesture automation commands. It employs social engineering tactics, such as a fraudulent website posing as the official MyGov site of the Australian Government, to distribute malicious files. Once installed, the malware communicates with a control server, collects device information, and replaces legitimate banking applications with phishing pages to steal credentials. The Godfather malware has become more difficult to analyze and poses a significant threat to users worldwide.

AppWizard

October 16, 2024

Millions of Android users get urgent Google app warning – check your phone now

Security experts from Zscaler have reported that over 200 malware-laden applications are available on Google's Play Store, with more than eight million installations by users. The report highlights a 111 percent increase in spyware incidents and a 29 percent rise in banking malware. Anatsa, an Android banking trojan, has targeted over 650 financial institutions. Zscaler's Chief Security Officer noted that cybercriminals are increasingly exploiting legacy assets, leading to data breaches and ransomware attacks. Google is working to remove harmful apps, but users are advised to review feedback, verify developer reputations, and enable Google Play Protect for enhanced security.

AppWizard

October 15, 2024

Over 200 malicious apps on Google Play downloaded millions of times

Zscaler's analysis revealed that over 200 malicious applications on Google Play accumulated nearly eight million downloads between June 2023 and April 2024. The identified malware families included Joker (38.2%), Adware (35.9%), Facestealer (14.7%), Coper (3.7%), Loanly Installer (2.3%), Harly (1.4%), and Anatsa (0.9%). In May 2023, Zscaler flagged more than 90 malicious apps on Google Play with 5.5 million downloads. The Necro malware loader was downloaded 11 million times, and Goldoson malware infiltrated 60 legitimate apps with 100 million downloads. Zscaler blocked an average of 1.7 million malware transactions per month, totaling 20 million during the analysis period. Spyware infections surged, particularly from SpyLoan, SpinOK, and SpyNote, with 232,000 blocks recorded. The most targeted countries were India, the United States, Canada, South Africa, and the Netherlands. The education sector saw a 136.8% increase in blocked transactions due to mobile malware. Users are advised to read reviews, verify app publishers, and scrutinize permissions to mitigate malware risks.