A new wave of Android banking malware has infected around 90000 users across multiple countries after the Anatsa trojan was secretly distributed through a fake PDF reader app on the Google Play Store. Security researchers found that the malware was embedded in an app called Document Viewer – File Reader, listed under the developer name Hybrid Cars Simulator Drift and Racing.
Initially appearing as a fully functional PDF viewer, the app silently received a malicious update weeks after its release. This update turned the app into a powerful attack tool, allowing cybercriminals to deploy the Anatsa banking trojan. During its short campaign from June 24 to June 30 2025, the app climbed to the number four spot in the “Top Free Tools” category before being removed by Google. Estimates suggest the app was downloaded nearly 90000 times during this period.
Anatsa also known as TeaBot or Toddler has been active since 2020. It is designed to steal login credentials, log keystrokes, and even take full control of devices to carry out unauthorized financial transactions. This Anatsa campaign marks its third major attack targeting users in the United States and Canada, expanding its reach beyond Europe.
Attackers followed a familiar pattern: first uploading a safe app, gathering installs and good reviews, then pushing an update containing a malware dropper. Once the dropper is active, it installs the Anatsa trojan silently. The malware then fetches a list of targeted banking apps and overlays fake login pages to steal user credentials.
A key trick used in this Anatsa campaign was showing a fake maintenance screen when users tried to open their banking apps. This delayed victims from reporting suspicious activity, giving hackers more time to drain accounts.
What Users Should Do:
If you installed Document Viewer – File Reader or any app from unknown developers, uninstall it immediately. Run a full scan with a trusted mobile security app, reset banking and email passwords, and enable two-factor authentication. Monitor your accounts for unusual activity and report anything suspicious to your bank.
Banks are advised to review the malware’s indicators of compromise and evaluate the risk to their customers.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram
About us:
The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.
