Dangerous Android trojan targets 600 banking apps — and it's draining accounts

A picture of a skull and bones on a smartphone depicting malware
(Image credit: Shutterstock)

Android smartphone owners are once again under attack from the dangerous Anatsa banking trojan which has been updated with new capabilities and can now target even more banking apps.

As reported by BleepingComputer, this new mobile malware campaign has been active since March of this year and so far, banking customers in the U.S., U.K., Germany, Austria and Switzerland have been targeted by Anatsa.

Just like during a previous Anatsa campaign from back in November 2021 which saw the malware downloaded over 300,000 times, the hackers behind this new campaign are using malicious apps hosted on the Google Play Store to infect vulnerable Android smartphones.

This updated version of the Anatsa banking trojan was first spotted by security researchers at ThreatFabric who revealed in a new report that it can now take over nearly 600 different banking apps and commit fraud right on an infected device. 

A number of big banks including JP Morgan, Capital One, TD Bank, Schwab, Navy Federal Credit Union and others can be targeted by Anatsa which is why this banking trojan is a threat Android users will want to take seriously.

Delete these apps right now

In their report, security researchers at ThreatFabric highlighted five of the apps that are being used by the hackers behind this campaign to take over and drain bank accounts. If you have any of these apps installed on your Android smartphone, it’s recommended that you uninstall them immediately. Below, you’ll find the apps in question along with their package names:

  • PDF Reader - Edit & View PDF -lsstudio.pdfreader.powerfultool.allinonepdf.goodpdftools
  • PDF Reader & Editor - com.proderstarler.pdfsignature
  • PDF Reader & Editor - moh.filemanagerrespdf
  • All Document Reader & Editor - com.mikijaki.documents.pdfreader.xlsx.csv.ppt.docs
  • All Document Reader and Viewer - com.muchlensoka.pdfcreator

While all of these apps have since been removed from the Play Store, you will need to manually delete them if you have any of them on your smartphone. 

Playing cat and mouse

Back in March following a six-month hiatus, the cybercriminals behind this new Anatsa campaign launched a separate malvertising campaign to promote the apps used to drop this banking trojan.

Just like in previous Anatsa campaigns, this one uses malicious apps from the office/productivity category which pose as PDF editors, viewers and office suites. However, when these apps were first submitted to Google, they didn’t contain any malware. Instead, the malware was added later like with the AhRat malware which allowed them to be listed on the Play Store and pass the search giant’s security checks.

During their investigation into the matter, ThreatFabric’s  researchers reported each of the malicious apps they found to Google and the company removed them from the Play Store. However, the hackers would then upload a new app to spread the Anatsa banking trojan.

Once installed on one of the best phones, Anatsa collects loads of financial information including bank account credentials, credit card details, payment information and more. This is done by using overlays which appear on top of one of the targeted 600 banking apps when they’re launched.

Instead of stealing this sensitive info and saving it for later, Anatsa uses it to commit on-device fraud by launching one of the banking apps and performing transactions on behalf of victims. This saves the hackers behind this campaign time but it also improves their chances of success since a user logging into their banking app and performing transactions on their own smartphone doesn’t raise any suspicions.

All of the funds stolen from a victim’s bank account are then converted into cryptocurrency and passed through a network of money mules before being sent back to the hackers behind this campaign.

In a statement to Tom's Guide, a Google spokesperson provided further insight on this new Anatsa campaign and how the search giant is handling it, saying:

“All of these identified malicious apps have been removed from Google Play and the developers have been banned. Google Play Protect also protects users by automatically removing apps known to contain this malware on Android devices with Google Play Services.”

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

When it comes to staying safe from Android malware the first and most important thing you should do is to limit the number of apps on your phone. Even seemingly innocent apps can contain malware or it can be added later which is why you should ask yourself if you really need a particular app before installing it.

Although Google checks all of the apps uploaded to the Play Store for malware, bad apps do manage to slip through the cracks from time to time. This is why you should avoid downloading free apps and check the reviews and rating of any app before you download it. External reviews and especially video reviews can be very helpful as they show you an app in action and are harder to fake.

Besides limiting the number of apps you have installed, you should also consider using one of the best Android antivirus apps on your phone. If you’re on a tight budget though, Google Play Protect offers similar functionality and can scan all of your existing apps and any new ones you download for malware. It’s also free and comes pre-installed on most Android smartphones.

As the hackers behind this latest Anasta campaign appear to be quite fast when it comes to infecting new apps with this dangerous banking trojan, expect to see other good apps turn malicious in an effort to infect even more Android smartphones with malware.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.