Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads tracks a fresh Anatsa campaign that abused trust in a seemingly useful document-reader app to reach a large install base before its payload was activated.
The malicious app was published as a document reader and file utility, a category that normally attracts little scrutiny because it promises simple productivity features.
According to the reporting, the app remained “clean” long enough to build credibility, then an update introduced code that pulled down the Anatsa payload from http://66.206.6[.]6:8080/disclaimer.txt and installed it as a separate component.
The installer MD5 hash is f72b1a333fa28b133df6476561142d6a, the payload MD5 is 61d25684e6f42e386f40ee60f5c54dca, and the command-and-control endpoint is http://162.252.173[.]37:85/api, which gives defenders concrete indicators to hunt for in mobile telemetry and network logs.
Anatsa is not a noisy adware family; it is a banking trojan designed for credential theft, overlay attacks, keylogging, and transaction abuse.
ThreatLabz said in a report shared with GBhackers, the app on Google Play as a Trojan dropper that later fetched Anatsa from a remote server and then connected to the attacker’s infrastructure for banking-targeted operations.
Once active, it watches for targeted financial apps and displays fake maintenance screens over legitimate banking interfaces, reducing the chance that victims notice suspicious activity while the malware operates in the background.
This campaign fits a pattern that threat researchers have been documenting for years: Anatsa repeatedly slips into the official Google Play Store through utility or productivity apps that look harmless at first glance.
Fake Document Reader App
Earlier waves reached tens of thousands to hundreds of thousands of downloads, showing that the operators use patience and scale rather than immediate aggression.
Android Malware Campaign Uses Fake Document Reader App with 100K Google Play Downloads
The current app was still live at the time of reporting and used the package name com.westhorizont.appsforge.filehorizon_explorereaddocuments on the Play Store.
Google has since removed multiple Anatsa-linked apps in past incidents, but the recurring issue is that the malware is introduced only after the app has already collected users, ratings, and trust signals.
That technique makes review-based vetting less effective, because the initial version can appear legitimate and benign. By the time the malicious update arrives, the app has already passed the social proof stage that many users rely on when installing from an official store.
For defenders, the practical response is to treat mobile threats like any other staged intrusion. Inventory recently installed document-reader and file-manager apps, check whether the indicators above appear in endpoint or DNS logs, and verify that affected devices are not silently downloading secondary APKs.
For users, the main lesson is that app category and store origin are not enough to establish trust. A document reader with unusually broad permissions, an aggressive update cycle, or a rapid shift in behavior should be treated as suspicious, even if it has crossed the 100K-download mark.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
