10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz have uncovered a deceptive threat hiding within the official Google Play Store. A fake document reader application, designed to look like a standard file management utility, was found secretly delivering the dangerous Anatsa Android banking trojan.

Before Google removed the application from the platform, it had already surpassed 10,000 downloads, putting thousands of users at significant risk of financial fraud and data theft.

The malicious application, previously available on the Google Play Store under the package name com.groundstation.informationcontrol.filestation_browsefiles_readdocs, masqueraded as a harmless tool for browsing and reading documents.

Threat actors frequently use this tactic, known as a “dropper” technique, to sneak past Google Play Protect’s initial security scans. By keeping the malicious code out of the initial application download, the app appears clean during the review process.

Once an unsuspecting user downloaded and opened the fake document reader, the app initiated the second phase of the attack in the background.

It reached out to an external server to download the actual malware payload, disguising the dangerous file as a simple text document to avoid raising suspicion on the network.

The Infection Chain and Threat Impact

The Anatsa banking trojan is a highly sophisticated piece of Android malware designed specifically to steal financial information and empty bank accounts.

When the fake document reader installs the Anatsa payload, the malware immediately attempts to gain advanced permissions on the victim’s device.

It often abuses Android’s Accessibility Services, which allows the malware to read what is on the screen, capture keystrokes, and interact with the device without the user’s knowledge.

Once fully active, Anatsa monitors the device for targeted banking and financial applications. When a user opens their legitimate banking app, the Trojan launches an invisible overlay attack.

This means it displays a fake login screen directly over the real application, tricking the user into entering their username, password, and multi-factor authentication codes into the hands of attackers.

Because Anatsa operates directly on the victim’s trusted device, it can often bypass banks’ traditional fraud detection systems.

The attackers can initiate unauthorized money transfers directly from the compromised phone, making the transactions appear to be authorized by the account owner.

Users who downloaded this fake document reader are advised to immediately delete the app, monitor their financial accounts for suspicious activity, and consider resetting their device passwords.

Indicators Of Compromise (IoCs)

Cybersecurity teams and IT administrators should use the following technical indicators provided by ThreatLabz to hunt for potential infections and block malicious traffic within their networks:

Indicator Type	Value
Anatsa Installer SHA256	5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20
Payload URL	http://23.251.108[.]10:8080/privacy.txt
Payload SHA256 Hash	88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f
Command and Control (C2) Server	http://172.86.91[.]94/api/
Command and Control (C2) Server	http://193.24.123[.]18:85/api/

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post 10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan appeared first on Cyber Security News.