A malicious application on the Google Play Store masquerading as a legitimate document reader. The deceptive application, which has accumulated over 50,000 downloads, functions as a dropper for the notorious Anatsa banking trojan, a sophisticated malware strain known for targeting financial institutions and compromising user banking credentials.
The malicious app leverages social engineering tactics by disguising itself as a legitimate document reader utility, making it particularly dangerous for unsuspecting Android users.
The application mimics the functionality of legitimate document management tools while silently deploying the Anatsa banking malware in the background.
This multi-stage attack approach allows the threat actors to evade Google Play Store’s security detection mechanisms and gain access to a substantial user base before the malicious intent is discovered.
ThreatLabz researchers identified that the compromised application employs sophisticated obfuscation techniques to conceal its malicious payload from both automated security scanners and manual analysis.
Anatsa Trojan Targets Banking Credentials
The dropper mechanism is designed to fetch additional malware components after initial installation, allowing threat actors to maintain flexibility in their attack infrastructure and adapt their tactics to circumvent emerging security measures.
Anatsa is a well-known banking trojan that has been active since 2019, primarily targeting financial institutions across Europe, the Middle East, and parts of Asia.
The malware is equipped with advanced capabilities, including overlay attacks, automatic transaction authentication compromise, and credential harvesting mechanisms.
It can intercept SMS messages, monitor user activities, and execute fraudulent transactions on compromised devices without user consent.
The discovery of this malicious app represents a significant security risk for Android users, as the Google Play Store is considered the primary trusted distribution channel for mobile applications.
The fact that the application accumulated 50,000 downloads before detection indicates that it successfully bypassed Google’s security review process and infrastructure-level protections.
This incident underscores the ongoing challenges in maintaining the security posture of major app distribution platforms.
Users who have installed the document reader application from Google Play Store are strongly advised to uninstall it immediately.
Google Removes App After Discovery
Device owners should conduct a comprehensive security scan using reputable mobile security solutions to identify and remove any potentially installed malware components.
Additionally, users should monitor their banking accounts for unauthorized transactions and contact their financial institutions if any suspicious activity is detected.
Google’s security team has been notified of the malicious application and has taken action to remove it from the Play Store. The company has also implemented measures to revoke the credentials associated with the malicious developer account.
However, the incident highlights the necessity for enhanced security review processes and machine learning-based detection systems to identify sophisticated obfuscated malware during the app submission phase.
Security professionals recommend that Android users adopt a multi-layered security approach including keeping operating systems updated with the latest security patches, installing applications exclusively from official channels, using reputable mobile security software, and regularly monitoring account activity.
Additionally, users should be cautious when granting excessive permissions to applications and regularly review application permissions through device settings.
The discovery of this Anatsa dropper on Google Play Store serves as a critical reminder that even official app stores face persistent threats from sophisticated threat actors.
Organizations and individual users must remain vigilant and maintain updated security posture to protect against evolving banking malware threats.
IOCs
| Type | Description | Value |
|---|---|---|
| Installer MD5 | Anatsa malware installer hash | 1991f5d0c88d8c7c68f6a6d27efa60d6 |
| Download URL | Source link for the installer | https://stellargridinv[.]com/ |
| Payload MD5 | Anatsa main payload hash | 7f131404a331ae10fdc76bfe5908575d |
| C2 Server 1 | Command and Control endpoint | http://193.24.123[.]18:85/api/ |
| C2 Server 2 | Command and Control endpoint | http://162.252.173[.]37:85/api/ |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.