The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Anatsa Android Banking Trojan Targets US Banks

Jul 18, 2025 2:08:41 PM / by The Hivemind

ANATSAVerticals Targeted: Financial
Regions Targeted: US, Canada
Related Families: None

Executive Summary

Anatsa, a sophisticated Android banking trojan active since 2020, has resurfaced in a recent campaign targeting mobile banking users, with a pronounced focus on North America. Distributed via malicious apps on the Google Play Store, Anatsa employs advanced device takeover and credential theft techniques, resulting in confirmed financial losses.

Key Takeaways

  • Anatsa has infected over 30,000 devices, primarily targeting financial institutions in the US, UK, and DACH region, with emerging focus on North America.  
  • The trojan masquerades as legitimate apps, such as PDF readers, to deliver malicious payloads without requiring additional permissions.  
  • Anatsa’s fraud capabilities include overlay attacks, keylogging, and automated fraudulent transactions executed via device takeover.  
  • The latest North American campaign, active in June, achieved over 50,000 downloads before removal from the Google Play Store.

What is Anatsa?

Since its emergence in 2020, Anatsa has established itself as a formidable Android banking trojan, leveraging the Google Play Store to distribute malicious applications. The trojan’s latest campaign, observed between March and June, demonstrates a renewed focus on North American mobile banking users, alongside continued targeting of the UK and DACH region (Germany, Austria, Switzerland). ThreatFabric researchers report over 30,000 infected devices, with confirmed financial losses attributed to Anatsa’s advanced fraud capabilities. Indications suggest potential expansion to Spain, Finland, South Korea, and Singapore.

Anatsa’s infection chain begins with seemingly benign applications, such as PDF readers or file managers, uploaded to the Google Play Store. These apps initially function as advertised, amassing thousands of downloads. After establishing a user base, malicious updates embed the Anatsa payload, often disguised as app add-ons. A notable example from the June campaign involved a PDF reader dropper that ranked among the top three “Top Free Tools” in the US Google Play Store, achieving over 50,000 downloads before removal. The dropper retrieved payload URLs from a GitHub page, enabling seamless delivery without additional permissions due to the app’s file management capabilities.

Once installed, Anatsa executes a sophisticated fraud kill chain. The trojan employs overlay attacks and keylogging to steal credentials, credit card details, and banking information. A deceptive overlay message, such as “Scheduled Maintenance,” obscures malicious activity and delays user intervention. Anatsa’s device takeover functionality allows operators to initiate fraudulent transactions directly from infected devices, bypassing anti-fraud systems that trust the device’s legitimacy. This capability has proven effective, with industry researchers confirming real-world fraud across multiple cases.

The North American campaign, active from June 24 to 30, marks Anatsa’s third focus on the US and Canada. The trojan’s target list has expanded to include a broader range of mobile banking applications, underscoring its adaptability. Anatsa’s cyclical activity, alternating between active distribution and dormancy, enhances its ability to evade detection. At least five distinct droppers were identified during the March-to-June period, each leveraging the same playbook: legitimate app deployment followed by malicious updates. Anatsa’s persistence and technical sophistication make it a significant threat to financial institutions. Its ability to exploit the Google Play Store’s trust, combined with advanced evasion tactics, demands heightened vigilance from malware analysts and security teams. 

IOCs

PolySwarm has multiple samples of Anatsa.

 

1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c

16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d

2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb

2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5

d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4

974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544

d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4

1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c

7231546ee377738cbe9075791eb6e76b7bc163c1b91831e05e81b4756fff4028

 

You can use the following CLI command to search for all Anatsa samples in our portal:

$ polyswarm link list -f Anatsa

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Banker, Banking Trojan, Anatsa, Android Malware, overlay attacks, Google Play Store, credential theft, North America, financial fraud, device takeover, mobile banking

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More