Anatsa Android Banking Trojan Spread via Fake Google Play Document Reader
A malicious Android app posing as a document reader on the official Google Play Store delivered the Anatsa banking trojan to more than 10,000 users before removal. Researchers said the app used a dropper technique to evade Google Play Protect, fetching its malicious payload only after installation. Once deployed, Anatsa abused Android Accessibility Services, watched for targeted banking apps, and launched overlay screens to steal credentials, sensitive input, and multi-factor authentication codes.
The malware allowed operators to initiate fraudulent transactions directly from infected devices, making activity appear more trustworthy to banks because it originated from a victim's normal device context. Reporting on the campaign said Anatsa continues to evolve to bypass traditional defenses by hiding inside legitimate-looking apps and abusing trusted mobile workflows, underscoring the risk to Android banking users and the need for tighter app controls, minimal permissions, and behavior-based monitoring.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Zimperium reports continued evolution of Anatsa targeting Android banking users
Zimperium reported a recent Anatsa campaign using legitimate-looking malicious apps to target financial applications with overlay attacks and steal sensitive user input. The company said the malware's operation from trusted device contexts helps it evade detection and bypass standard authentication controls.
Researchers publish technical details and IOCs for Anatsa campaign
ThreatLabz disclosed technical details of the campaign, including the dropper method, payload delivery URL, installer and payload hashes, and two command-and-control servers. The reporting also noted that attackers could initiate fraudulent transactions directly from infected devices.
Fake app reaches more than 10,000 downloads before removal
The malicious Google Play app reportedly surpassed 10,000 downloads before Google removed it from the store. Once installed, it abused Accessibility Services, monitored banking apps, and used overlay attacks to steal credentials and MFA codes.
Malicious document reader app appears on Google Play
ThreatLabz identified an Android application on the official Google Play Store masquerading as a document reader that functioned as a dropper for the Anatsa banking trojan. The app was designed to evade Google Play Protect by downloading its malicious payload only after installation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Banking Trojans Spread via Fake Document Reader and KYC Apps
Researchers reported two Android banking malware campaigns using staged droppers to evade detection and steal financial data from mobile users. Zscaler ThreatLabz said a fake **Document Reader** app on Google Play was downloaded more than 10,000 times before removal and later fetched the **Anatsa** payload from a remote server, while CYFIRMA identified **KYCShadow** being distributed through fake KYC verification apps sent over WhatsApp to bank customers in India. In both cases, the initial apps appeared legitimate, then installed secondary malicious components designed to bypass early screening and analysis. Once deployed, the malware sought high-risk permissions to hijack accounts, intercept SMS-based one-time passwords, and overlay banking apps to capture credentials. Anatsa was reported to target more than **831 financial institutions** globally, including banks and cryptocurrency platforms, using obfuscation and anti-analysis techniques, while KYCShadow collected data such as mobile numbers, Aadhaar details, ATM PINs, and card information, then used Firebase Cloud Messaging and a full-tunnel VPN for command-and-control and traffic redirection. Researchers urged users to uninstall suspicious apps and avoid software delivered through messaging platforms, and advised defenders to monitor indicators including `jsonapi[.]biz`, `jsonserv[.]biz`, and `jsonserv[.]xyz`.
Apr 29, 2026
Google Play Apps Dropped Anubis Banking Malware via Fake System Updates
Two Android apps published on Google Play, **Currency Converter** and **BatterySaverMobi**, were found to function as droppers for the **Anubis** banking trojan. The apps used motion-sensor checks to detect whether they were running on a real device rather than in a sandbox or emulator, then fetched command-and-control details through encoded requests tied to Telegram and Twitter pages. After installation, they displayed a fake system update prompt designed to persuade users to sideload a malicious APK that delivered the Anubis payload. Once deployed, Anubis was capable of targeting **377 financial app variants across 93 countries** and stealing data through keylogging, screenshots, abuse of Android accessibility features, and broad device permissions. Researchers linked the activity to infrastructure including the domain `aserogeege.space`, and Google removed both malicious apps from the Play Store after the discovery.
May 26, 2026
Four Android Banking Trojans Target 800+ Apps With MFA-Bypassing Overlays
Zimperium zLabs identified four Android malware families—**RecruitRat, SaferRat, Astrinox, and Massiv**—in active campaigns targeting users of more than **800 banking, cryptocurrency, and social media apps**. The malware is being spread through phishing sites, smishing messages, fake job application and streaming lures, counterfeit app-store pages, and bogus updates that trick victims into installing malicious APKs. Researchers said the campaigns rely heavily on overlay attacks, with fake login screens placed over legitimate apps to steal credentials; **RecruitRat** alone reportedly includes more than **700** fraudulent login pages. Once installed, the trojans abuse Android features including **Accessibility Services**, the **Session Installation API**, **MediaProjection**, overlays, and **WebView** to gain persistence, intercept SMS and one-time passwords, log keystrokes, enumerate apps, steal contacts, freeze screens, stream displays, and remotely control infected devices. The malware also uses anti-analysis techniques such as APK tampering, encrypted strings, reflection, dynamic DEX loading, and environment-aware execution, while command-and-control traffic is sent over HTTPS or WebSockets, with RecruitRat additionally using **RC4** encryption. Researchers warned the activity creates enterprise risk because infected employee devices can enable account takeover, bypass MFA, and expose corporate resources.
Apr 20, 2026