A deceptive Android application lurking in the Google Play Store, disguised as a document reader and file manager, but delivering the Anatsa banking trojan to users.
Cybersecurity firm Zscaler ThreatLabz found an app named “Document Reader – File Manager” by developer ISTOQMAH. The app has amassed over 50,000 downloads while remaining live, tricking users into granting permissions that enable financial data theft.
This campaign highlights ongoing challenges in securing official app stores against sophisticated malware droppers.
Anatsa, also known as TeaBot, emerged in 2020 as an Android banking malware specializing in credential theft, keylogging, and fraudulent transactions targeting financial apps.
Recent variants have expanded to over 831 institutions worldwide, including new regions like Germany and South Korea, plus cryptocurrency platforms.
The Trojan employs advanced evasion tactics, such as runtime DES decryption of strings, device model checks to dodge emulators, and malformed ZIP archives hiding DEX payloads that evade static analysis tools.
In this instance, the dropper app poses as a benign tool for opening PDFs, scanning documents, and managing files, complete with an intuitive interface.
Upon installation, it silently fetches the Anatsa payload disguised as an update from a command-and-control server, bypassing Play Store protections. If checks fail, it displays a fake file manager to maintain cover.
Once active, Anatsa seeks accessibility permissions to auto-grant dangerous privileges like SYSTEM_ALERT_WINDOW, READ_SMS, and full-screen intents, then overlays phishing pages tailored to detected banking apps.
ThreatLabz detailed specific indicators for this Anatsa wave, aiding detection efforts. The app’s Play Store page promotes it as an “all-in-one solution” for documents, yet harbors malicious code.
This app joins dozens of similar decoys, with ThreatLabz reporting 77 malicious apps totaling 19 million installs recently removed from Google Play. Anatsa campaigns frequently use productivity apps like document viewers, exploiting trust in utility tools.
Users face risks of stolen banking credentials via fake logins or automated fraud, especially in North America, where prior strains ranked high in “Free Tools” sections. Google has bolstered Play Protect, but timely researcher reports remain crucial.
Android owners should scrutinize app permissions, avoid unsolicited updates, and use antivirus scanners. Security teams can leverage these IOCs for network monitoring and device forensics.
Campaign Indicators
| Indicator | Value |
|---|---|
| Package Name | com.quantumrealm.nexdev.quarkfilerealm_filedoctool G7qS0W6bMAEE2v4.jpg |
| Installer MD5 | 98af36a2ef0b8f87076d1ff2f7dc9585 |
| Payload MD5 | da5e24b1a97faeacf7fb97dbb3a585af |
| Download URL | https://quantumfilebreak[.]com/txt.txt |
| C2 Servers | http://185.215.113[.]108:85/api/ http://193.24.123[.]18:85/api/ http://162.252.173[.]37:85/api/ |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
