Anatsa, an Android banking malware first discovered in 2020, has evolved with new capabilities and targets. The latest variant now affects over 831 financial institutions worldwide, including new countries and cryptocurrency platforms. Anatsa has streamlined its payload delivery, implemented DES runtime decryption, and added device-specific restrictions. The malware uses decoy applications in the Google Play Store, some exceeding 50,000 downloads. Alongside Anatsa, 77 other malicious apps from various families were identified, totaling over 19 million installs. Anatsa's evasion techniques include emulation checks, device model verification, and the use of malformed archives to hide malicious code. The malware primarily steals credentials through fake banking login pages tailored to detected financial apps on the user's device.