The Anatsa banking trojan has reappeared on Google Play as a PDF viewer app, accumulating over 50,000 downloads. It activates upon installation, targeting North American banking applications by presenting an overlay that allows unauthorized access, keylogging, and transaction automation. Researchers from Threat Fabric discovered that the app displays a fake notification about banking system maintenance to mask its activities. Anatsa has a history of infiltrating Google Play through various trojanized applications, with previous campaigns resulting in 300,000 downloads in November 2021, 30,000 in June 2023, and 150,000 in February 2024. In May 2024, Zscaler reported two new Anatsa applications on Google Play, achieving 70,000 downloads. The specific app identified is ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing,’ which maintains a “clean” appearance until it builds a user base, after which malicious code is introduced via an update. Anatsa connects to a command-and-control server to monitor targeted applications. Google has removed the malicious app, advising users to uninstall it, scan their devices, and reset banking credentials. Users are encouraged to download apps only from reputable publishers and be cautious with permissions and reviews. Google Play Protect automatically protects users from known malicious apps.