FHN 
Cybersecurity researchers have uncovered a new Android malware campaign that used a fake document reader application to distribute the Anatsa banking trojan. The app appeared to be a legitimate file-reading utility on the Google Play Store and gained more than 100,000 downloads before malicious functionality was activated.
The application initially behaved like a normal productivity tool, helping it gain user trust and positive ratings. Once a significant user base was established, attackers pushed an update that downloaded and installed the Anatsa malware from a remote server.
How the Attack Worked
The malicious app was disguised as a document reader and file management tool. Early versions appeared harmless, allowing the application to gain credibility and attract thousands of users. After reaching a large install base, a malicious update downloaded the Anatsa payload and connected to attacker-controlled servers.
Researchers identified the following indicators of compromise (IOCs):
- Installer MD5: f72b1a333fa28b133df6476561142d6a
- Payload MD5: 61d25684e6f42e386f40ee60f5c54dca
- Command-and-Control Server: hxxp://162.252.173[.]37:85/api
Why Anatsa Is Dangerous
Anatsa is a banking trojan designed to steal financial information from Android users. Once active, it monitors devices for targeted banking applications and uses fake screens to capture credentials while hiding suspicious activity from victims.
This campaign follows a strategy commonly used by Anatsa operators. Instead of releasing malware immediately, attackers first build trust through seemingly legitimate apps. By the time the malicious update is delivered, the application has already accumulated downloads, ratings, and user confidence.
How to Stay Protected
- Review recently installed document-reader and file-management apps.
- Be cautious of apps that suddenly request new permissions after updates.
- Remove suspicious applications and scan affected devices immediately.
The incident serves as a reminder that even apps downloaded from official stores should be carefully evaluated. High download numbers and positive reviews alone are not enough to guarantee safety.
About the Author
