Anatsa Mobile Malware Targets North American Banking Customers Again

In late June 2025, the notorious Android banking malware known as Anatsa resurfaced, targeting customers of financial institutions across North America. According to researchers from ThreatFabric, a Dutch cybersecurity firm that has monitored Anatsa since its emergence in 2020, this recent campaign marks at least the third instance of the malware targeting mobile banking users in the United States and Canada.

Anatsa functions as a trojan that can steal banking credentials, log keystrokes, and execute fraudulent transactions directly from infected devices using remote-access tools. The campaign commenced with the developers uploading a seemingly legitimate Android application, such as a PDF reader or a phone cleaner, to an app store. Once the app gained traction, amassing thousands of downloads, an update was issued that surreptitiously injected malicious code into users’ devices, allowing Anatsa to operate as a separate application. This recent attack involved a file reader app that had been available for approximately six weeks before the malicious update was delivered between June 24 and June 30. The app had achieved over 50,000 downloads and was ranked among the top free tools in the U.S. version of the Google Play Store before its removal.

Randolph Barr, Chief Information Security Officer at Cequence, noted, “Even savvy users may miss this, since the initial app appears clean and functional.” The method of promotion for the app remains unclear, as does the precise manner in which the threat actors utilize the stolen data. Potential scenarios include deploying ransomware attacks or selling the compromised information to other cybercriminals on darknet markets.

The recent operation was characterized by an expanded target list, which included a wider variety of mobile banking applications in the United States. Banking trojans have become common instruments for cybercriminals, designed to extract sensitive financial information, often resulting in unauthorized transactions, account takeovers, and considerable financial losses for victims.

Looking to the future, Barr anticipates a rise in more sophisticated campaigns, suggesting, “This includes things like AI-personalized malware overlays targeting specific banks or regions, modular payloads downloaded in real-time post-install, attempts to bypass multi-factor authentication via screen overlays or token theft, and even more abuse of accessibility services and session hijacking.”

In a related development, earlier in June, ThreatFabric reported the emergence of a new variant of the Android banking trojan Crocodilus, which has begun to infiltrate Europe, South America, and parts of Asia. This variant is particularly concerning as it can embed fake entries into victims’ contact lists, allowing attackers to masquerade as trusted sources, such as bank support lines, thereby deceiving users into answering fraudulent calls and bypassing fraud prevention systems that typically flag unfamiliar numbers.

The resurgence of Anatsa serves as a stark reminder of the evolving landscape of cyber threats targeting financial services, underscoring the need for increased vigilance and robust security measures among users and institutions alike.