Over 50,000 Infected By Banking Trojan Posing as PDF Tool

Image by Pathum Danthanarayana, from Unsplash

Over 50,000 Infected By Banking Trojan Posing as PDF Tool

Reading time: 2 min

Last Updated: Jul 9, 2025

Researchers say that Anatsa malware is back, this time targeting North American users by hiding in fake Google Play apps to steal banking credentials and funds.

In a rush? Here are the quick facts:

  • It hides in fake apps uploaded to the Google Play Store.
  • Over 50,000 users downloaded a malicious “PDF Update” app.
  • Malware performs fraud via fake overlays on banking apps.

A dangerous Android banking malware known as Anatsa has launched a new wave of attacks on users across the United States and Canada, according to ThreatFabric researchers.

The researchers say that this marks at least the third time the malware has shifted its focus to North American mobile banking customers, and it’s doing so using familiar and successful techniques.

Anatsa is a sophisticated device takeover trojan that lets cybercriminals steal banking credentials, log keystrokes, and perform remote fraudulent transactions from infected phones. The malware hides inside applications that seem harmless at first, such as file managers and PDF readers, which are uploaded to the official Google Play Store.

The researchers explain that application functions as any other useful tool. Firstly, it gains user trust through downloads, over 50,000 in the most recent case. Then, weeks later, an update quietly installs the Anatsa malware. From there, the infected phone becomes a weapon.

The malware communicates with remote servers to select banking apps to target. When a user tries to log into their bank, a fake maintenance message appears: “We are currently enhancing our services and will have everything back up and running shortly. Thank you for your patience.

This message blocks users from realizing they’re being hacked while the malware carries out unauthorized transactions or captures login credentials.

In the latest campaign, a fake “PDF Update” application reached the third position in the “Top Free Tools” list before Google Play Store removed it on June 30. Although the application was short-lived, it caused significant damage to users.

Cybersecurity experts say Anatsa’s increasing focus on U.S. banks and its success through cyclical attacks and app store manipulation make it a growing threat. Financial institutions are urged to stay alert and inform users about this evolving tactic.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
0 Voted by 0 users
Title
Comment
Thanks for your feedback