A seemingly harmless document reader app on the Google Play Store has been exposed as a delivery mechanism for the notorious Anatsa banking trojan, putting thousands of Android users at risk.
The malicious app, which crossed 10,000 downloads before being removed, was uncovered by researchers at Zscaler ThreatLabz. Disguised as a file management tool, it appeared fully functional, helping it evade detection during initial security checks.
However, behind the scenes, the app was executing a stealthy two-stage attack. Initially, it behaved like a normal document reader. Later, it secretly connected to a remote server to download the Anatsa malware payload—without any visible alerts to the user.
Anatsa, first identified in 2020, has evolved into one of the most persistent Android banking trojans. It is designed to steal sensitive data such as login credentials, capture keystrokes, intercept SMS messages, and even perform unauthorized financial transactions. The latest variant reportedly targets over 800 financial institutions worldwide, including banks and crypto platforms.
Once active, the malware requests accessibility permissions a major red flag. If granted, it gains extensive control over the device, allowing it to overlay fake login screens on legitimate banking apps. These overlays trick users into entering their credentials, which are then sent directly to attackers.
To avoid detection, Anatsa uses advanced evasion techniques. Its malicious code is hidden within corrupted files and executes only at runtime, leaving minimal traces behind. It also checks whether it’s running in a testing environment and disables malicious behavior to avoid being flagged by security systems.
Security experts warn users to be cautious when downloading apps, even from trusted platforms like the Google Play Store. Apps that request unnecessary permissions especially access to SMS or accessibility features—should be treated with suspicion.
Users who installed the affected app are strongly advised to uninstall it immediately and run a full device scan using a reliable mobile security solution.
Recommended Cyber Technology News :
- ACI Worldwide Adds Account Verification to Fraud Prevention Platform
- Keeper Enhances Browser Security With Verify Mode launch
- Heligan Group Launches Strategic Advisory Unit to Meet Rising Demand for Risk
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
