Google Play Fake Document Reader With 10K Downloads Installs Anatsa Malware
Key Takeaways A deceptive document reader app on Google Play distributed the sophisticated Anatsa banking trojan. The malicious application garnered over 10,000 downloads before Google removed it,...
Key Takeaways
- A deceptive document reader app on Google Play distributed the sophisticated Anatsa banking trojan.
- The malicious application garnered over 10,000 downloads before Google removed it, exposing numerous Android users to financial fraud.
- Anatsa, a persistent Android banking trojan first observed in 2020, continues to evolve, now targeting over 831 financial institutions globally, including new targets in Germany and South Korea.
- The malware utilizes a two-stage dropper mechanism and advanced evasion techniques to bypass app store defenses and security analysis tools.
Fake Document Reader App Delivers Anatsa Banking Trojan to Thousands of Android Users
A recent discovery by cybersecurity researchers has unveiled a fraudulent document reader application on the Google Play Store that was secretly installing the potent Anatsa Android banking trojan on thousands of user devices. This campaign underscores the ongoing threat posed by Anatsa, a malware notorious for its sophisticated capabilities and continuous evolution.
Table Of Content
Before its removal by Google, the malicious application had accumulated more than 10,000 downloads, directly jeopardizing a significant number of Android users with the risk of financial theft and credential compromise. For a detailed technical examination of Anatsa’s functionalities and its history of Android banking malware campaigns, refer to Zscaler’s comprehensive analysis.
Anatsa: A Persistent and Evolving Threat
Anatsa is a well-known entity in the realm of mobile security, having first emerged in 2020. Initially designed as an Android banking trojan, its primary objective was to steal user credentials, log keystrokes, and execute unauthorized transactions on infected devices, all without the user’s knowledge.
Over time, Anatsa has matured into one of the most formidable mobile banking threats. Its latest iteration demonstrates an expanded reach, now actively targeting over 831 financial institutions worldwide. This includes newly identified banks and cryptocurrency platforms in countries such as Germany and South Korea.
Researchers at Zscaler ThreatLabz brought this malicious application to light on the Google Play Store, publishing their findings on April 27, 2026. The application was cleverly disguised as a file reader, operating under the package name com.groundstation.informationcontrol.filestation_browsefiles_readdocs. It had already surpassed 10,000 installations before Google took action to remove it from the platform.
This incident represents another chapter in Anatsa’s persistent campaign, which consistently leverages seemingly innocuous utility applications to circumvent app store security measures and infect a large user base. Additional insights into the evolution of Anatsa can be found in Zscaler’s security research.
Infection Mechanism and Detection Evasion
The malicious app employed a dropper technique to evade detection during Google Play’s review process. Upon installation, it functioned ostensibly as a legitimate document reader, exhibiting no immediate signs of malicious behavior. However, in the background, it established a connection to a remote server and downloaded the Anatsa payload from http://23.251.108[.]10:8080/privacy.txt. This process silently installed the trojan without any visible alerts to the user. This two-stage delivery mechanism is a deliberate strategy to bypass initial app store reviews, which typically only scrutinize the application at the point of submission.
This tactic, where an app initially appears benign and later downloads malware, has been a hallmark of Anatsa’s campaigns for years. Because Google Play’s security scans primarily focus on the app’s initial version, the trojan can successfully infiltrate the platform undetected. It then waits until it achieves a substantial number of installations before activating its malicious functionalities, by which point the malware is already active on thousands of devices.
Post-Installation Actions and Stealth Tactics
Once the Anatsa payload is successfully executed on a device, it immediately requests accessibility permissions from the user. If these permissions are granted, the malware automatically escalates its privileges, gaining capabilities such as overlaying content on other applications, intercepting SMS messages, and displaying full-screen alerts. These extensive permissions are then exploited to monitor user activity, steal banking credentials, and disrupt legitimate app interactions without raising suspicion.
To further evade security tools, Anatsa conceals its DEX file within a corrupted ZIP archive that utilizes invalid compression flags. This file is only executed at runtime and is promptly deleted after loading, making it exceptionally challenging for static analysis tools to detect. The payload is additionally embedded within a JSON file, which is dropped and subsequently erased during execution, leaving minimal forensic evidence of the infection on the device.
Anatsa encrypts all communications with its command-and-control (C2) servers using a single-byte XOR key. In this specific campaign, the identified C2 servers were hosted at http://172.86.91[.]94/api/, http://193.24.123[.]18:85/api/, and http://162.252.173[.]37:85/api/. These servers are responsible for delivering realistic-looking fake banking login overlays that appear directly over legitimate banking applications, duping users into submitting their credentials on fraudulent pages that mirror authentic ones. Further details on Anatsa’s credential theft and keystroke monitoring capabilities can be found in Cryptika’s report.
The malware also incorporates emulation checks and verifies the device model before deploying its payload. If it detects a sandboxed or testing environment, it simply presents a clean file manager interface instead of launching the trojan. This integrated self-defense mechanism allows Anatsa to remain undetected during automated analysis, thereby extending its operational lifespan on genuine user devices without being flagged.
What You Should Do
- Review App Permissions Carefully: Always scrutinize the permissions requested by any new application before granting them. Be particularly wary if a document reader or file manager app asks for unusual permissions like accessibility services or SMS access, as these are typically not required for their legitimate functions.
- Maintain Google Play Protect: Ensure Google Play Protect is enabled on your Android device to benefit from its continuous scanning for malicious applications.
- Exercise Caution with Unknown Developers: Avoid downloading applications from unfamiliar developers, especially those with limited reviews or a suspicious lack of information.
- Question Unusual Requests: Be suspicious of any application that requests permissions that seem unrelated to its advertised purpose.
- Immediate Uninstallation and Scanning: If you have installed the affected application (package name:
com.groundstation.informationcontrol.filestation_browsefiles_readdocs), uninstall it immediately and perform a thorough scan of your device using a reputable mobile security solution.
Indicators of Compromise (IOCs):
| Indicator | Type | Detail |
|---|---|---|
5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20 |
Installer SHA256 | Anatsa dropper hash |
88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f |
Payload SHA256 | Anatsa core payload hash |
http://23.251.108[.]10:8080/privacy.txt |
Payload URL | Remote payload delivery server |
http://172.86.91[.]94/api/ |
C2 Server | Anatsa command-and-control |
http://193.24.123[.]18:85/api/ |
C2 Server | Anatsa command-and-control |
http://162.252.173[.]37:85/api/ |
C2 Server | Anatsa command-and-control |
com.groundstation.informationcontrol.filestation_browsefiles_readdocs |
Package Name | Malicious dropper app (removed) |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.