Fake Document Reader with 100K Downloads Delivers Anatsa Banking Trojan via Google Play

A dangerous Android banking trojan is once again spreading through the Google Play Store, hiding inside what appears to be a simple document reader app. The app has already been downloaded more than 100,000 times, putting a large number of Android users at serious risk of financial theft and personal data loss.

The malware in question is Anatsa, also known as TeaBot, which first appeared in 2020. Since its early days, it has steadily evolved into one of the more sophisticated Android banking threats discovered in the wild. It is built to steal banking credentials, log keystrokes, and carry out fraudulent transactions, all without the victim ever realizing anything is wrong. The latest variant has expanded its reach to target more than 831 financial institutions across the globe, including banking apps, investment platforms, and cryptocurrency services.

Researchers from Zscaler ThreatLabz, who shared their findings in a report with Cyber Security News (CSN), identified the malicious app as a dropper disguised as a file manager and document reader tool. The app listed on the Play Store under the package name com.westhorizont.appsforge.filehorizon_explorereaddocuments presented itself as a legitimate file management and document reading tool. Once downloaded, the installer connects to a remote server and, if the device passes its checks, downloads the full Anatsa banking trojan payload disguised as a routine app update.

What makes this campaign particularly stand out is how well the app maintains its cover. If the malware detects it is running inside an analysis environment, or if it cannot reach its command-and-control server, it simply shows a working file manager interface to the user. There is no obvious sign that anything malicious is happening, which is exactly what makes it so difficult to catch early. To make detection even harder, the installer uses runtime string decryption powered by a dynamically generated DES key. The payload is hidden inside a corrupted ZIP archive with invalid compression and encryption flags, which causes most static analysis tools to fail completely. The package name and installation hash are also rotated periodically to avoid being flagged by security systems that track known identifiers.

Once the payload is fully installed and active, Anatsa requests accessibility permissions from the user. If granted, the malware quietly enables a wide range of additional permissions, including the ability to read and receive SMS messages, display system alerts, and run in full-screen mode. These permissions give it the access it needs to silently monitor everything the user does on their device. When it detects a banking or financial app being opened, it overlays a fake login screen that mirrors the real app, tricking the user into entering their credentials directly into the malware. These fake pages are downloaded fresh from the C2 server and are tailored to whichever financial app is found on the device. The trojan also runs a built-in keylogger that records everything the user types, and it encrypts all communication with its C2 server using a single-byte XOR key to keep its traffic well hidden from network monitoring tools.

To stay safe, Android users should carefully review the permissions any app requests before granting them. If a document reader is asking for access to SMS messages or accessibility settings, that is a clear red flag. It is also wise to stick to apps from verified developers, read recent user reviews before installing, and keep Google Play Protect enabled at all times on the device.

Indicators of compromise include the installer MD5 hash f72b1a333fa28b133df6476561142d6a, payload delivery URL http://66.206.6[.]6:8080/disclaimer.txt, and multiple C2 servers at 162.252.173[.]37:85, 185.215.113[.]108:85, and 193.24.123[.]18:85. The campaign underscores the persistent threat of banking trojans infiltrating official app stores through cleverly disguised droppers.