Awareness

Anatsa vs GoldDigger vs Frogblight: Top Android Banking Trojan

Published  ·  5 min read

The three existing Android banking trojans are all up and running, performing successfully in the real world as well, but their methods of infection, level of automation, persistence, evasion, and overall level of financial/human damage (when considering the amount of actual financial loss) differ from one another. Below we summarize how they compare to each other using the latest threat intelligence reports, sandbox tests, and telemetry data gathered by researchers.

Comparison between the 3 Android Banking Trojans
Anatsa (Teabot)
1. Infection technique, Many different forms of apps impersonating "Utilities", "cryptocurrency", "investment", "productivity", and "documents" out there, most often they can be found in the Google Play store but are then sideloaded by users through fraudulent phishing links.
2. Automationm An extremely high degree of automation is utilized by employing Accessibility Services to allow for auto navigation of bank apps, reading of OTP codes/SMS texts, and the ability to perform fund transfers with little to no user interaction required on the part of the victim.
3. Overlays, Very pixel-perfect, and highly convincing overlays (they will match the banking app UI where the targeted bank is located).
4. Persistence & evasion, Very good (GUI icon hidden; survives a reboot; detects if the environment is an emulator, is running Frida, or has a debugger attached).
5. Primary geographies for operation, Europe (Germany, France, Italy, Spain, United Kingdom); Turkey; parts of LATAM; Some parts of North America.
6. Financial (theoretical, and as of now) Highest cumulative reported losses are in the tens of millions of Euros across multiple countries in Europe.
7. Danger rating: ★★★★★ (highest danger currently based on scale of operation and level of automation).

GoldDigger
1. How can you get infected? Fake Banking Apps, Wallet Apps, Loan Apps & Remittance Apps (mostly sideloaded via WhatsApp/Telegram phishing!) 
2. How much automation? Very high- strong overlays, form grabbing, excellent SMS/OTP interception. 
3. What are the overlays? Quality is very high but slightly less automated in some banking flows than Anatsa. 
4. How persistent or evasive is this app? Extremely high level of persistence/evasiveness (Via Accessibility and Device Admin Abuse). 
5. Which areas of the world are being negatively affected? India, Brazil, Mexico, Indonesia and Turkey. 
6. What is the financial impact to the areas listed above? High level of financial loss risk due to this app being targeted by an attack; especially in new markets with weak banking systems that have limited fraud prevention controls. 
7. Danger rating: ★★★★★ (very dangerous in Core Areas).

Frogblight
1. How can you get infected? Fake VPNs/Cleaners/Utility Apps/Flashlight Apps aggressive WhatsApp & Telegram Phishing Links. 
2. How much automation? Fairly good Overlays & Form grabbing but less than those in the other two Ops are fully automated.
3. What are the Overlays? Good quality. 
4. How persistent/evasive is this app? Fairly good (abuse of Accessibility + some icon hiding). 
5. What are the primary areas affected? Middle East (Jordan, Egypt, Iraq, Saudi Arabia, UAE), Turkey, Parts of Europe.
6. What is the financial impact to these regions? Moderate to high; mainly in those areas. 
7. Danger rating: ★★★★☆ (Dangerous Regionally but Low on a Global Level).

Recent Cases of Real-Life Events That Show Use of Malware 
Anatsa (Teabot)
The malware program "Document Viewer - File Reader" had over 90,000+ downloads from Google Play before being removed. It also claimed to be a PDF reader, but in fact, it used the Teabot or Anatsa malware (payloads) for credential theft and device takeover.  
Another malware campaign used 77 malicious applications with over 19 million downloads from Google Play as dropper applications to target users of banking applications located in Europe and South Korea. Victims lost thousands of dollars on each device due to automated overlays and automated transfers.  

GoldDigger
In one wave of attacks, Gold Digger utilized a packer created by VirBox to target victims using fake banking/wallet apps in India and Brazil. The attackers abused the Accessibility function of their phones to steal one-time passwords (OTPs) and then transfer funds using the OTPs. There have been reports of victims losing between $5,000 and $20,000 due to this type of fraud.

Frogblight
Discovered via phishing SMS leading to fake government/court apps (e.g., case viewers, social support tools). It stole banking credentials and SMS via injected JavaScript. Most impact seen in the Middle East and Turkey, with regional losses in the thousands per victim.

Which Is Most Dangerous Right Now?
Anatsa (Teabot) is currently the most dangerous Android banking trojan. 
Reasons:
1. Largest ongoing infection volume in the highest-value banking markets.
2. Most automated end-to-end transaction capability (minimal user interaction needed).
3. Strongest persistence and anti-analysis tricks.
4. Consistently ranks #1 or #2 in Android banking trojan telemetry across major threat reports.

GoldDigger is a very close second, especially if you or your family are in India, Brazil, Mexico, Indonesia, or Turkey. Frogblight is dangerous regionally (Middle East + Turkey) but does not match the global scale or automation of the other two.

Practical Protection Tips
1. Install apps only from Google Play, avoid third-party stores and sideloaded APKs.
2. Never grant Accessibility Service to unknown or suspicious apps.
3. Enable “Install unknown apps” restrictions per source (Settings → Apps → Special app access → Install unknown apps).
4. Use a reputable mobile security app (Bitdefender Mobile Security, Avast, Malwarebytes Mobile Security — free tiers are effective).
5. Keep Google Play Protect turned on + scan regularly.
6. If you receive urgent banking-related messages on WhatsApp/Telegram → do not click links or install anything, open your bank app directly.
7. Freeze credit reports if personal data is ever stolen.

 

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067