Anatsa (Tea Bot) banking trojan campaign targeting 831 banking and cryptocurrency apps
Campaign
Summary
Hide ▲
Show ▼
The Anatsa (Tea Bot) operation expanded its Android targeting to 831 banking and cryptocurrency apps, raising the risk of credential theft for mobile banking users. Operators used Document Reader – File Manager as a decoy app that downloaded the malicious payload only after installation, helping evade Google's code review. The latest wave also shifted to direct payload installation and added emulation detection, malformed APK archives, and a keylogger to improve stealth and data theft.
Related Happenings
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware Activity
First: 03.04.2026 12:10
Last: 03.04.2026 12:10
Sources 1
About this happening:
The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...
SparkCat malware variant in App Store and Google Play apps steals wallet recovery phrases
Malware ActivityAbout this happening: The **SparkCat** malware resurfaced in a new variant inside apps on the **Apple App Store** and **Google Play Store**, increasing the risk of mobile crypto wallet theft. The malwa...
Google Android developer verification rollout for sideloaded apps
Security Tool/Service
First: 31.03.2026 21:28
Last: 31.03.2026 21:28
Sources 1
About this happening:
Google is rolling out **Android developer verification** for apps distributed outside **Google Play**, tightening sideloading controls to make anonymous abuse harder. The first en...
Google Android developer verification rollout for sideloaded apps
Security Tool/ServiceAbout this happening: Google is rolling out **Android developer verification** for apps distributed outside **Google Play**, tightening sideloading controls to make anonymous abuse harder. The first en...
Google Android Advanced Flow adds safer APK sideloading for unverified developers
Security Tool/Service
First: 21.03.2026 16:18
Last: 21.03.2026 16:18
Sources 1
About this happening:
**Google** is rolling out **Advanced Flow** on **Android** to let power users sideload APKs from **unverified developers** with more friction and warnings, reducing the risk of **...
Google Android Advanced Flow adds safer APK sideloading for unverified developers
Security Tool/ServiceAbout this happening: **Google** is rolling out **Advanced Flow** on **Android** to let power users sideload APKs from **unverified developers** with more friction and warnings, reducing the risk of **...
Perseus Android note-stealing and remote-control malware activity
Malware Activity
First: 19.03.2026 12:13
Last: 19.03.2026 12:13
Sources 1
About this happening:
The **Perseus** Android malware is now being used to inspect user notes for secrets, creating theft risk for **passwords**, **recovery phrases**, and **financial data**. It is als...
Perseus Android note-stealing and remote-control malware activity
Malware ActivityAbout this happening: The **Perseus** Android malware is now being used to inspect user notes for secrets, creating theft risk for **passwords**, **recovery phrases**, and **financial data**. It is als...
Timeline
-
25.08.2025 19:37 2 articles · 9mo ago
Anatsa Android targeting expands to 831 apps
Campaign Scope UpdateZscaler ThreatLabs identified a new Android malware wave on Google Play that included Anatsa (Tea Bot), Joker, Harly, adware, and maskware across 77 malicious apps with more than 19 million installs. The latest Anatsa campaign expanded its targeting to 831 banking and cryptocurrency apps, used Document Reader – File Manager as a decoy that downloaded the payload after installation, shifted to direct payload installation from JSON files, and added malformed APK archives, runtime DES-based string decryption, emulation detection, Accessibility permission abuse, and a keylogger. Google removed the discovered apps from the Play Store after Zscaler's reporting.
Show sources
- Malicious Android apps with 19M installs removed from Google Play — www.bleepingcomputer.com — 25.08.2025 19:37
- Malicious Android apps on Google Play downloaded 42 million times — www.bleepingcomputer.com — 04.11.2025 22:26