A new fake document reader app found on the Google Play Store has been silently installing Anatsa, a powerful Android banking trojan, on thousands of user devices.
The malicious application surpassed 10,000 downloads before Google removed it, putting a significant number of Android users at direct risk of financial fraud and credential theft.
Anatsa is not a new name in mobile security. The malware first surfaced in 2020 as an Android banking trojan built to steal credentials, record keystrokes, and perform fraudulent transactions on infected devices without user knowledge.
Over the years, it has grown into one of the most persistent mobile banking threats, with its latest variant now targeting more than 831 financial institutions globally, including newly added banks and cryptocurrency platforms in countries like Germany and South Korea.
Researchers at Zscaler ThreatLabz identified the malicious application on the Google Play Store and published their findings on April 27, 2026. The app was disguised as a file reader under the package name com.groundstation.informationcontrol.filestation_browsefiles_readdocs and had surpassed 10,000 downloads before Google removed it from the platform.
This incident is yet another chapter in Anatsa’s ongoing campaign, which has repeatedly used benign-looking utility apps to bypass app store defenses and reach real users at scale.
The app used a dropper technique to stay undetected during the store’s review process. Once installed, it appeared to work normally as a document reader, showing no signs of malicious activity.
In the background, it connected to a remote server and pulled down the Anatsa payload from http://23.251.108[.]10:8080/privacy.txt, silently installing the trojan without any user-visible alerts. This two-stage delivery is designed to beat app store reviews that only assess apps at the point of submission.
This method of staying clean at first and then downloading malware later has been a signature of Anatsa’s campaigns for years.
Since Google Play’s security scans focus on the initial version of an app, the trojan can enter the platform undetected and wait until it has enough installations before activating. By that point, the malware is already running on thousands of real devices.
Infection Mechanism and Detection Evasion
Once Anatsa’s payload is running on a device, it requests accessibility permissions from the user. If granted, the malware automatically activates a broader set of privileges, including overlaying content on top of other apps, intercepting SMS messages, and displaying full-screen alerts.
These capabilities are used to capture user activity, steal banking credentials, and interfere with legitimate app interactions without raising obvious alarms.
To stay hidden from security tools, Anatsa hides its DEX file inside a corrupted ZIP archive with invalid compression flags. The file only executes at runtime and is deleted immediately after loading, making it very difficult for static tools to catch.
The payload is further embedded inside a JSON file that is dropped and erased during execution, leaving minimal evidence of the infection on the device.
Anatsa encrypts all traffic to its command-and-control servers using a single-byte XOR key. In this campaign, the C2 servers were hosted at http://172.86.91[.]94/api/, http://193.24.123[.]18:85/api/, and http://162.252.173[.]37:85/api/.
These servers deliver fake banking login overlays that appear directly over legitimate banking apps, tricking users into entering their credentials on fraudulent pages that look completely real.
The malware also performs emulation checks and verifies the device model before deploying the payload. If it detects a sandboxed or testing environment, it simply displays a clean file manager interface instead of launching the trojan.
This built-in self-defense mechanism helps Anatsa remain undetected during automated analysis, giving it more time to operate freely on real user devices without being flagged.
Android users should review the permissions any new app requests before approving them. Document readers and file managers have no legitimate reason to request accessibility permissions or SMS access.
Keeping Google Play Protect turned on, avoiding apps from unfamiliar developers, and questioning any app that asks for unusual permissions are all practical steps worth taking.
Anyone who installed the affected application should uninstall it immediately and scan their device with a trusted mobile security tool.
Indicators of Compromise (IOCs):-
| Indicator | Type | Detail |
|---|---|---|
5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20 |
Installer SHA256 | Anatsa dropper hash |
88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f |
Payload SHA256 | Anatsa core payload hash |
http://23.251.108[.]10:8080/privacy.txt |
Payload URL | Remote payload delivery server |
http://172.86.91[.]94/api/ |
C2 Server | Anatsa command-and-control |
http://193.24.123[.]18:85/api/ |
C2 Server | Anatsa command-and-control |
http://162.252.173[.]37:85/api/ |
C2 Server | Anatsa command-and-control |
com.groundstation.informationcontrol.filestation_browsefiles_readdocs |
Package Name | Malicious dropper app (removed) |