Anatsa Android banking trojan infiltrates Google Play, hits 90k US/Canada users with “Document Viewer” dropper, exposing banks to device-takeover fraud

Continue reading
The Anatsa (a.k.a. TeaBot) Android banking trojan has launched its first large-scale campaign in the United States and Canada, hiding inside a popular “Document Viewer – File Reader” app on Google Play.
The dropper accumulated roughly 90,000 installs in six weeks before Google removed it, providing attackers with a foothold to steal credentials, keylog sessions, and automate fraudulent transactions against a broadened list of North American financial apps.
ThreatFabric analysts say the campaign mirrors five earlier European waves, yet shows a sharper focus on U.S. institutions and improved evasion tactics, such as deceptive maintenance overlays that mask fraud in real-time.
| Attribute | Details |
|---|---|
| First seen | 2020 |
| Aliases | TeaBot, Toddler |
| Primary vector | Google Play droppers (PDF, QR, cleaner, file viewers) |
| Targets | 650+ banking/finance apps worldwide |
| Capabilities | Credential overlays, Accessibility abuse, Keylogging, On-device fraud (DTO) |
Anatsa’s operators periodically pause distribution, refine the code, and then return with region-specific waves that quickly accumulate tens of thousands of installs before being taken down.
ThreatFabric’s long-term telemetry shows each wave follows a consistent, five-step pattern:
This cyclic approach lets the gang bypass store vetting, exploit user ratings as social proof, and keep infections geographically tailored.
The 2025 campaign’s dropper package com.stellarastra.maintainer.astracontrol_managerreadercleaner looked and behaved as a genuine file viewer until June 24. An update then added code that:
| Date | Milestone |
|---|---|
| 07 May 2025 | App first published on Google Play |
| 29 Jun 2025 | Climbed to #4 in “Top Free – Tools” chart (US) |
| 24-30 Jun 2025 | Malicious update pushed; active distribution window |
| 01 Jul 2025 | Google removes app after ThreatFabric report |
The North-American dropper continues a multi-year pattern of explosive install counts that outpace store defenses.
ThreatFabric observed an expanded target list of U.S. institutions, including tier-1 retail banks, credit unions, and investment apps, alongside Canadian banking brands.
Analysis by Zscaler shows “Tools” utilities account for 40% of droppers because they plausibly request powerful permissions (storage, accessibility) without raising suspicion.
Google’s policy requires any app asking for AccessibilityService to justify the need, yet Anatsa operators still bypass vetting by shipping clean version 1.0 and weaponizing the first update—a tactic that evades automated static analysis and most manual reviews[3]. Until store workflows verify runtime behavior and cross-check update diffs, high-download droppers will continue to pose a recurring threat vector.
IOC Highlights (July 2025 wave)
Recommended Actions for Enterprises
| Risk Driver | Strategic Response |
|---|---|
| Dropper stealth via staged updates | Continuous mobile-app telemetry, store-update diff scanning |
| Accessibility abuse for DTO | In-app detection of suspicious accessibility events; enforce step-up verification |
| Overlay credential theft | Implement secure keyboard frameworks and deep-link sign-in to thwart overlays |
| Geo-targeted target lists | Monitor for sudden spikes in fraud from specific mobile OS versions or locales |
| Store takedown lag | Maintain threat-intel feeds and warn users faster than official store actions |
The latest Anatsa incursion into North America underscores the persistent gap between official-store defenses and agile malware operators.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.