Malicious “Document Reader – File Manager” App on Google Play Delivering Anatsa Banking Trojan

Malicious “Document Reader – File Manager” App on Google Play Delivering Anatsa Banking Trojan

A malicious Android app disguised as a harmless document reader and file manager has been caught distributing the Anatsa (TeaBot) banking trojan — despite being available on Google Play with 50,000+ downloads.

Researchers at Zscaler ThreatLabz identified the app, published by “ISTOQMAH,” which tricks users into granting permissions that ultimately enable financial credential theft, phishing overlays, and fraudulent transactions.

🔍 What Anatsa Does

Anatsa is an advanced Android banking malware first seen in 2020. Its capabilities include:

• 📝 Credential theft
• ⌨️ Keylogging
• 💳 Overlay attacks on banking & crypto apps
• 🤖 Automated transactions (ATS)

Recent variants have targeted over 831 financial institutions across Europe, North America, Germany, South Korea, and cryptocurrency platforms.

🕵️ How the Fake App Works

The malicious app pretends to:

• Open PDFs
• Scan documents
• Manage files

But behind the scenes, it:

• Downloads the Anatsa payload disguised as an “update”
• Uses DES-decrypted strings to evade static detection
• Checks device properties to avoid sandboxes
• Hides malicious code in malformed ZIP/DEX files
• Shows a fake file manager if checks fail

Once activated, it aggressively requests Accessibility Services, then silently grants itself sensitive permissions like:

• SYSTEM_ALERT_WINDOW
• READ_SMS
• Overlay and full-screen phishing abilities

This allows it to display fake login screens mimicking legitimate banking apps.

⚠️ Campaign Scale

ThreatLabz reports Anatsa is part of a larger wave of malware droppers that infiltrate Google Play by posing as productivity tools.
Recently, 77 similar apps totaling 19 million installs were removed from the store.

🛡️ Who Is at Risk?

• Users in Europe, North America, Germany, South Korea
• Customers of banks & crypto exchanges
• Anyone downloading “free tools” from Play Store without permission vetting

✔️ Recommendations

For users:

• Check permissions carefully before installing apps
• Avoid apps requesting unnecessary accessibility access
• Reject “updates” pushed outside Google Play
• Use antivirus or mobile threat defense solutions

For security teams:

• Review ThreatLabz IOCs
• Monitor outbound device traffic
• Conduct forensics on suspicious app installs

Sophisticated dropper campaigns like this highlight the ongoing challenge of securing official app stores against evolving malware families.