Malicious Document Reader on Google Play: Anatsa Banking Malware on 50,000 Devices
At first glance, it looked harmless.
A simple Android app called “Document Reader – File Manager”, available directly on Google Play, promised exactly what millions of users search for every day: an easy way to read PDFs and manage files. Clean interface. Normal functionality. No obvious red flags.
And yet, behind that familiar productivity mask, the app quietly acted as a dropper for Anatsa (TeaBot) — one of the most persistent and financially damaging Android banking trojans in circulation today.
By the time the app was removed, it had already crossed 50,000 installs, once again proving a difficult truth in mobile security: official app stores are not immune to supply-chain abuse
Overview: Trust as the Attack Vector
This campaign followed a playbook that threat researchers are seeing more frequently — and more successfully.
The malicious app was published under the developer name ISTOQMAH and positioned as a legitimate document reader and file manager. Nothing about the initial listing stood out as malicious. The app performed exactly as advertised, helping users open documents and browse files, which helped it gain positive engagement and user trust.
Security researchers later confirmed that this app was part of a broader Anatsa distribution campaign, a malware family active since at least 2020 and well-known for abusing PDF readers, QR scanners, and document utilities as decoys on Google Play
Recent Anatsa waves have primarily targeted users in North America and Europe, especially those running popular banking and financial applications.
Infection Chain: A Trojan That Waits
What made this campaign effective wasn’t brute force — it was patience.
Stage 1: Clean First Impression
When users installed the app, it behaved like a perfectly normal document reader. No immediate malicious activity. No suspicious permission requests. This helped it pass both Google Play’s automated checks and user scrutiny.
Stage 2: Delayed Payload Delivery
In the background, the app contacted attacker-controlled infrastructure to download a secondary component, often disguised as an update or plugin. This second stage was the actual Anatsa malware payload
If this download failed — due to network conditions, region restrictions, or sandbox analysis — the app simply continued working as a benign document reader. This fallback behavior helped it survive longer on devices and in the Play Store.
Stage 3: Dynamic Loading & Obfuscation
Crucially, the malicious code was not present in the original APK submitted to Google Play. Instead, it was:
Downloaded dynamically
Heavily obfuscated
Loaded at runtime
This design dramatically reduced detection during static analysis and initial store vetting.
Anatsa Capabilities: Full Financial Takeover
Once successfully deployed, Anatsa wasted no time escalating control.
The malware abused Accessibility Services, Notification access, and other high-risk permissions to gain near-complete visibility into user activity. From there, it focused almost exclusively on banking and financial apps.
Key Capabilities Include:
Overlay Attacks Fake login screens that perfectly mimic real banking apps, capturing credentials in real time.
Keylogging & Form Grabbing Intercepts passwords, PINs, and sensitive inputs across apps.
SMS & Notification Interception Steals one-time passwords and transaction verification codes, effectively bypassing SMS-based MFA.
Remote Device Control Operators can remotely drive the banking app UI, automate transfers, and execute fraud without the victim actively interacting with the phone.
Together, these capabilities allow direct account takeover and fraudulent transactions, not just credential theft.
Why Google Play Didn’t Stop It
This campaign succeeded because it exploited systemic gaps in app store defenses, not because of a single failure.
Key evasion tactics included:
A clean, functional app at install time
No malicious logic in the submitted APK
Delayed activation based on time, region, or device state
Heavy code obfuscation and encrypted configuration
Dynamic module loading from remote servers
In short, scanners that only analyze what’s uploaded to the store never see the real threat.
Impact and Risk Assessment
For individual users, the impact is immediate and personal:
Stolen banking credentials
Unauthorized transfers
Compromised savings and linked accounts
Credential reuse across other services
For organizations, the risk expands further.
Any infected employee device can become:
A vector for financial fraud
A risk to corporate banking apps
A weak link in BYOD environments
The fact that a single app reached 50,000+ installs, combined with similar Anatsa campaigns reaching close to 90,000 total infections, makes one thing clear: Google Play should not be treated as a fully trusted software supply chain
Detection: What Security Teams Look For
Security vendors and national CERTs have released indicators of compromise tied to this campaign, including package names, signing certificates, and C2 infrastructure.
Behavioral red flags include:
Document or PDF apps requesting Accessibility or Notification access
Post-install downloads of executable code
Overlay behavior targeting banking apps
UI automation without user interaction
Mobile EDR and app reputation systems have since added detections, and Google has removed the malicious listing from the Play Store
Mitigation and Defensive Recommendations
For Users:
Immediately uninstall “Document Reader – File Manager” and similar flagged apps
Run a reputable mobile security scan
Reset banking and high-value account passwords
Review bank statements and report suspicious activity
For Organizations:
Enforce MDM policies with strict app allowlists
Restrict installation of generic document viewers and QR tools
Integrate Anatsa IOCs into mobile security, SIEM, and network monitoring
Treat mobile endpoints as first-class attack surfaces, not secondary risks
Final Thoughts
This incident isn’t just about one malicious app.
It’s a reminder that modern mobile malware doesn’t break in — it blends in. Anatsa didn’t exploit a zero-day. It exploited trust, patience, and the assumption that “if it’s on Google Play, it must be safe.”
That assumption is no longer defensible.
And as long as attackers can weaponize everyday productivity tools, document readers will remain exactly what Anatsa needs them to be: the perfect disguise.
Last updated
Was this helpful?