Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/Google Play Fake Document Reader With 10K Downloads Installs Anatsa Malware
Threats

Google Play Fake Document Reader With 10K Downloads Installs Anatsa Malware

Key Takeaways A deceptive document reader app on Google Play distributed the sophisticated Anatsa banking trojan. The malicious application garnered over 10,000 downloads before Google removed it,...

David kimber
David kimber
April 28, 2026 5 Min Read
39 0

Key Takeaways

  • A deceptive document reader app on Google Play distributed the sophisticated Anatsa banking trojan.
  • The malicious application garnered over 10,000 downloads before Google removed it, exposing numerous Android users to financial fraud.
  • Anatsa, a persistent Android banking trojan first observed in 2020, continues to evolve, now targeting over 831 financial institutions globally, including new targets in Germany and South Korea.
  • The malware utilizes a two-stage dropper mechanism and advanced evasion techniques to bypass app store defenses and security analysis tools.

Fake Document Reader App Delivers Anatsa Banking Trojan to Thousands of Android Users

A recent discovery by cybersecurity researchers has unveiled a fraudulent document reader application on the Google Play Store that was secretly installing the potent Anatsa Android banking trojan on thousands of user devices. This campaign underscores the ongoing threat posed by Anatsa, a malware notorious for its sophisticated capabilities and continuous evolution.

Table Of Content

  • Key Takeaways
  • Fake Document Reader App Delivers Anatsa Banking Trojan to Thousands of Android Users
  • Anatsa: A Persistent and Evolving Threat
  • Infection Mechanism and Detection Evasion
  • Post-Installation Actions and Stealth Tactics
  • What You Should Do

Before its removal by Google, the malicious application had accumulated more than 10,000 downloads, directly jeopardizing a significant number of Android users with the risk of financial theft and credential compromise. For a detailed technical examination of Anatsa’s functionalities and its history of Android banking malware campaigns, refer to Zscaler’s comprehensive analysis.

Anatsa: A Persistent and Evolving Threat

Anatsa is a well-known entity in the realm of mobile security, having first emerged in 2020. Initially designed as an Android banking trojan, its primary objective was to steal user credentials, log keystrokes, and execute unauthorized transactions on infected devices, all without the user’s knowledge.

Over time, Anatsa has matured into one of the most formidable mobile banking threats. Its latest iteration demonstrates an expanded reach, now actively targeting over 831 financial institutions worldwide. This includes newly identified banks and cryptocurrency platforms in countries such as Germany and South Korea.

Researchers at Zscaler ThreatLabz brought this malicious application to light on the Google Play Store, publishing their findings on April 27, 2026. The application was cleverly disguised as a file reader, operating under the package name com.groundstation.informationcontrol.filestation_browsefiles_readdocs. It had already surpassed 10,000 installations before Google took action to remove it from the platform.

This incident represents another chapter in Anatsa’s persistent campaign, which consistently leverages seemingly innocuous utility applications to circumvent app store security measures and infect a large user base. Additional insights into the evolution of Anatsa can be found in Zscaler’s security research.

Infection Mechanism and Detection Evasion

The malicious app employed a dropper technique to evade detection during Google Play’s review process. Upon installation, it functioned ostensibly as a legitimate document reader, exhibiting no immediate signs of malicious behavior. However, in the background, it established a connection to a remote server and downloaded the Anatsa payload from http://23.251.108[.]10:8080/privacy.txt. This process silently installed the trojan without any visible alerts to the user. This two-stage delivery mechanism is a deliberate strategy to bypass initial app store reviews, which typically only scrutinize the application at the point of submission.

This tactic, where an app initially appears benign and later downloads malware, has been a hallmark of Anatsa’s campaigns for years. Because Google Play’s security scans primarily focus on the app’s initial version, the trojan can successfully infiltrate the platform undetected. It then waits until it achieves a substantial number of installations before activating its malicious functionalities, by which point the malware is already active on thousands of devices.

Post-Installation Actions and Stealth Tactics

Once the Anatsa payload is successfully executed on a device, it immediately requests accessibility permissions from the user. If these permissions are granted, the malware automatically escalates its privileges, gaining capabilities such as overlaying content on other applications, intercepting SMS messages, and displaying full-screen alerts. These extensive permissions are then exploited to monitor user activity, steal banking credentials, and disrupt legitimate app interactions without raising suspicion.

To further evade security tools, Anatsa conceals its DEX file within a corrupted ZIP archive that utilizes invalid compression flags. This file is only executed at runtime and is promptly deleted after loading, making it exceptionally challenging for static analysis tools to detect. The payload is additionally embedded within a JSON file, which is dropped and subsequently erased during execution, leaving minimal forensic evidence of the infection on the device.

Anatsa encrypts all communications with its command-and-control (C2) servers using a single-byte XOR key. In this specific campaign, the identified C2 servers were hosted at http://172.86.91[.]94/api/, http://193.24.123[.]18:85/api/, and http://162.252.173[.]37:85/api/. These servers are responsible for delivering realistic-looking fake banking login overlays that appear directly over legitimate banking applications, duping users into submitting their credentials on fraudulent pages that mirror authentic ones. Further details on Anatsa’s credential theft and keystroke monitoring capabilities can be found in Cryptika’s report.

The malware also incorporates emulation checks and verifies the device model before deploying its payload. If it detects a sandboxed or testing environment, it simply presents a clean file manager interface instead of launching the trojan. This integrated self-defense mechanism allows Anatsa to remain undetected during automated analysis, thereby extending its operational lifespan on genuine user devices without being flagged.

What You Should Do

  • Review App Permissions Carefully: Always scrutinize the permissions requested by any new application before granting them. Be particularly wary if a document reader or file manager app asks for unusual permissions like accessibility services or SMS access, as these are typically not required for their legitimate functions.
  • Maintain Google Play Protect: Ensure Google Play Protect is enabled on your Android device to benefit from its continuous scanning for malicious applications.
  • Exercise Caution with Unknown Developers: Avoid downloading applications from unfamiliar developers, especially those with limited reviews or a suspicious lack of information.
  • Question Unusual Requests: Be suspicious of any application that requests permissions that seem unrelated to its advertised purpose.
  • Immediate Uninstallation and Scanning: If you have installed the affected application (package name: com.groundstation.informationcontrol.filestation_browsefiles_readdocs), uninstall it immediately and perform a thorough scan of your device using a reputable mobile security solution.

Indicators of Compromise (IOCs):

Indicator Type Detail
5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20 Installer SHA256 Anatsa dropper hash
88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f Payload SHA256 Anatsa core payload hash
http://23.251.108[.]10:8080/privacy.txt Payload URL Remote payload delivery server
http://172.86.91[.]94/api/ C2 Server Anatsa command-and-control
http://193.24.123[.]18:85/api/ C2 Server Anatsa command-and-control
http://162.252.173[.]37:85/api/ C2 Server Anatsa command-and-control
com.groundstation.informationcontrol.filestation_browsefiles_readdocs Package Name Malicious dropper app (removed)

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

MalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

AI Coding Agent Powered by Claude Opus 4.6 Accidentally Wipes Production Database

Next Post

New Android Banking Malware Hijacks Accounts via Fake KYC and WhatsApp

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us