Security researchers from ThreatLabz have recently identified a troubling threat lurking within the Google Play Store. A seemingly innocuous document reader application, crafted to resemble a typical file management tool, was discovered to be stealthily delivering the notorious Anatsa Android banking trojan.
Before Google took action to remove the application, it had already amassed over 10,000 downloads, placing countless users in jeopardy of financial fraud and data breaches.
The malicious app, which was listed under the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs, cleverly disguised itself as a harmless utility for browsing and reading documents. This tactic, known as the “dropper” technique, is frequently employed by threat actors to bypass Google Play Protect’s initial security checks. By keeping the malicious code hidden from the initial download, the application appears legitimate during the review process.
Upon downloading and launching the fake document reader, the app triggers the second phase of the attack in the background. It connects to an external server to retrieve the actual malware payload, camouflaging the dangerous file as a simple text document to evade detection on the network.
The Infection Chain and Threat Impact
The Anatsa banking trojan represents a highly advanced form of Android malware specifically engineered to pilfer financial information and drain bank accounts. Once the fake document reader installs the Anatsa payload, the malware promptly seeks to obtain elevated permissions on the victim’s device.
It often exploits Android’s Accessibility Services, granting the malware the ability to read screen content, capture keystrokes, and interact with the device without the user’s awareness.
Once fully operational, Anatsa surveils the device for specific banking and financial applications. When a user accesses their legitimate banking app, the Trojan executes an invisible overlay attack, presenting a counterfeit login screen directly over the authentic application. This deception lures users into entering their usernames, passwords, and multi-factor authentication codes, which are then captured by the attackers.
Because Anatsa operates directly on the victim’s trusted device, it frequently circumvents traditional fraud detection systems employed by banks. Attackers can initiate unauthorized money transfers directly from the compromised phone, making these transactions appear to be sanctioned by the account owner.
Users who have downloaded this counterfeit document reader are strongly urged to delete the app immediately, monitor their financial accounts for any unusual activity, and consider resetting their device passwords.
Indicators Of Compromise (IoCs)
Cybersecurity teams and IT administrators are encouraged to utilize the following technical indicators provided by ThreatLabz to identify potential infections and block malicious traffic within their networks:
| Indicator Type | Value |
|---|---|
| Anatsa Installer SHA256 | 5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20 |
| Payload URL | http://23.251.108[.]10:8080/privacy.txt |
| Payload SHA256 Hash | 88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f |
| Command and Control (C2) Server | http://172.86.91[.]94/api/ |
| Command and Control (C2) Server | http://193.24.123[.]18:85/api/ |
Follow us on Google News, LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
