Dangerous Android malware targets US banking apps - 50,000 people already affected, make sure you're not next

(Image credit: wk1003mike / Shutterstock)

Security researchers found a PDF app for Android sporting a banking trojan
The trojan was introduced with a patch, six weeks after release
It had more than 50,000 downloads, so users should beware

A dangerous Android banking trojan has found a way to the Google Play Store once again, potentially affecting tens of thousands of North American users, experts have warned.

Security researchers from Threat Fabric found an app on the Play Store, called ‘Document Viewer – File Reader’, published by a company called ‘Hybrid Cars Simulator, Drift & Racing’ roughly two months ago and having amassed a significant following - some 50,000 people.

Until only recently, the app was clean, working as intended. Then, between June 24 and 30, it received an update that turned it into a banking trojan called Anatsa.

How to stay safe

This is a known piece of malware that's been smuggled into the Play Store on multiple occasions in the past.

BleepingComputer claims in November 2021 researchers found a trojanized app with 300,000 downloads, and in June 2023 a separate one with 30,000 downloads. In February 2024 there was another app with Anatsa, counting 150,000 downloads, and in May the same year, two apps with 70,000 downloads between them.

Every time, Google removes the apps, but the attackers seem to find a way back.

Anatsa is a banking trojan that first scans the victim’s mobile device, looking for North American banking apps.

If it finds any, it serves them an overlay that grabs credentials and other login data, granting the attackers the ability to log into accounts and make transactions. At the same time, the victims are presented with a message that the app is undergoing scheduled maintenance.

The app has now been removed from the Play Store, and if you have it installed, it would be wise to remove it and then run a full system scan using Play Protect. Resetting banking account credentials would also be advised.

“All of these identified malicious apps have been removed from Google Play,” a Google spokesperson told BleepingComputer. “Users are automatically protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services."

Via BleepingComputer

This dangerous new malware is hitting iOS and Android phones alike - and it's even stealing photos and crypto
Take a look at our guide to the best authenticator app
We've rounded up the best password managers

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

How to stay safe

You might also like