Security researchers have recently uncovered a troubling development in the world of mobile applications. A PDF reader app for Android, known as ‘Document Viewer – File Reader’, has been identified as harboring a banking trojan. This malicious software, dubbed Anatsa, was stealthily introduced through a patch just six weeks after the app’s initial release.
Widespread Impact and Historical Context
The app, published by a company named ‘Hybrid Cars Simulator, Drift & Racing’, has gained traction, amassing over 50,000 downloads. This raises significant concerns for users, particularly in North America, where the trojan specifically targets banking applications. The history of similar threats is alarming; researchers from Threat Fabric have previously documented instances of trojanized apps infiltrating the Play Store multiple times. For example:
- In November 2021, a trojanized app was found with 300,000 downloads.
- In June 2023, another app surfaced, accumulating 30,000 downloads.
- February 2024 saw the emergence of an app with Anatsa, which had 150,000 downloads.
- By May of the same year, two more apps had collectively garnered 70,000 downloads.
Despite Google’s efforts to remove these malicious applications, the attackers continue to find ways to re-enter the marketplace.
How the Trojan Operates
The Anatsa trojan operates by first scanning the victim’s device for any North American banking applications. Upon detection, it overlays a deceptive interface that prompts users to input their credentials and other sensitive login information. Meanwhile, victims are misled with a message indicating that the app is undergoing scheduled maintenance, further facilitating the attackers’ schemes.
As a precautionary measure, Google has removed the app from the Play Store. Users who may have downloaded it are strongly advised to uninstall the application and conduct a comprehensive system scan using Google Play Protect. Additionally, resetting banking credentials is recommended to safeguard against potential unauthorized access.
A Google spokesperson reassured users, stating, “All of these identified malicious apps have been removed from Google Play. Users are automatically protected by Google Play Protect, which can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services.”