Fake Document Reader on Google Play Delivered Anatsa Android Banking Malware

A fake document reader app on the Google Play Store was used to deliver the Anatsa Android banking trojan, exposing more than 100,000 Android users to possible credential theft and financial fraud.

Zscaler ThreatLabz said in a new Anatsa warning that the malicious app used the package name com.westhorizont.appsforge.filehorizon_explorereaddocuments and acted as a dropper for the banking malware.

Anatsa, also known as TeaBot, is not new. Zscaler’s Anatsa research says the malware first appeared in 2020 and can steal credentials, monitor keystrokes, and help attackers perform fraudulent transactions.

How the fake document reader attack worked

The app presented itself as a file manager and document reader. That made it look useful enough for everyday Android users who needed to open PDFs, documents, or local files.

After installation, the app behaved like a dropper. It contacted attacker-controlled infrastructure and downloaded the full Anatsa payload when the device passed its checks.

This staged approach helped the app appear harmless during early review. The initial app looked like a basic utility, while the real banking trojan arrived later as a separate payload.

Attack stage	What happened	Why it mattered
Play Store listing	The app posed as a document reader and file manager	Users were more likely to trust a simple utility app
Initial install	The dropper appeared benign at first	This helped the app avoid immediate suspicion
Payload delivery	The app downloaded Anatsa from a remote server	The banking trojan arrived after installation
Permission abuse	Anatsa requested Accessibility and SMS-related access	The malware gained the tools needed for credential theft
Banking overlay	Fake login screens appeared over real financial apps	Victims could enter credentials directly into the malware

Anatsa now targets hundreds of financial apps

The latest Anatsa variants have broadened their reach. Zscaler said recent versions target more than 831 financial institutions worldwide, including banking, investment, and cryptocurrency services.

The malware checks the infected device for installed financial apps. When it finds a targeted app, it can request a matching fake login page from its command-and-control server.

That fake page then appears over the legitimate app. The victim thinks they are signing in to their bank, but the credentials go to the attacker.

Why document reader apps are useful lures

Document readers, QR scanners, file managers, and similar utility apps remain common Android malware disguises. They look ordinary, they serve broad user needs, and they do not immediately feel risky.

Zscaler’s broader Anatsa analysis said decoy Anatsa apps have individually passed 50,000 downloads in earlier campaigns, while related malicious apps reported by the company reached millions of installs collectively.

The latest fake document reader shows the same pattern continuing. The attacker does not need to convince users to install an obvious banking tool, only a useful app that seems harmless.

• Package name: com.westhorizont.appsforge.filehorizon_explorereaddocuments
• Malware family: Anatsa, also known as TeaBot
• App disguise: document reader and file manager
• Reported install count: more than 100,000 downloads
• Main risk: banking credential theft and fraudulent transactions

The malware hides when analysis fails

The dropper includes checks that make analysis harder. If it detects a sandbox, emulator, or unreachable command-and-control server, it can simply display a working file manager interface.

That behavior helps the app maintain its cover. A researcher, automated scanner, or cautious user may see only basic file-management features instead of the hidden malware chain.

Zscaler’s ThreatLabz update also listed indicators tied to payload delivery and command-and-control servers, including 66.206.6[.]6, 162.252.173[.]37, 185.215.113[.]108, and 193.24.123[.]18.

Anatsa abuses Accessibility and SMS permissions

Once installed, Anatsa tries to persuade the user to grant Accessibility permissions. This is one of the most dangerous steps in the infection chain.

Google has warned in an Android security post that bad actors can exploit accessibility APIs to read sensitive information, including passwords and financial details, directly from the screen and manipulate devices by injecting touches.

Google’s Play Protect help page also says permissions such as reading text messages, reading notifications, and controlling a device through accessibility are commonly targeted by bad actors for identity theft and financial fraud.

Permission or behavior	How Anatsa can abuse it
Accessibility access	Monitor screens, automate taps, and assist overlay attacks
Read SMS	Capture one-time passwords and bank alerts
Receive SMS	Intercept incoming verification messages
Display over other apps	Show fake banking login pages above real apps
Full-screen mode	Hide visible warning signs from the victim
Keylogging	Record typed usernames, passwords, and other sensitive data

Overlay attacks make banking theft harder to spot

Anatsa’s overlay technique is simple but effective. The malware waits until the user opens a targeted financial app, then places a fake login screen on top of the real one.

MITRE describes GUI input capture as a mobile attack technique where adversaries mimic operating-system or app prompts to collect sensitive information from users.

In practice, the victim may see a login page that looks normal. Once the username, password, or other banking details are entered, the information can be sent to the attacker’s server.

Google Play Protect helps, but users still need caution

Google Play Protect checks apps and devices for harmful behavior. Google says Play Protect automatically scans apps on Android phones and works to prevent harmful app installations.

Google also says the service scans 200 billion Android apps daily. However, dropper-style malware remains difficult because the first app can appear clean while the malicious payload arrives later.

⚠️ ThreatLabz discovered another fake document reader in the Google Play Store with more than 100K downloads, which delivers the Anatsa Android trojan.

Anatsa installer MD5 hash: f72b1a333fa28b133df6476561142d6a
Payload URL: http://66.206.6[.]6:8080/disclaimer.txt
Anatsa… pic.twitter.com/YWF12h5uFB

— Zscaler ThreatLabz (@Threatlabz) June 22, 2026

The Google Play Protect guidance recommends keeping Play Protect turned on and notes that it can warn users, disable apps, remove harmful apps, reset permissions, and block risky installs from higher-risk sources.

What Android users should do now

Users who installed the fake document reader should remove it immediately. They should also run a Play Protect scan, restart the device, and review all apps with Accessibility, SMS, notification, and overlay permissions.

Anyone who used banking, investment, or crypto apps on an affected device should contact their financial institution, change passwords from a clean device, and review recent transactions.

Users should also avoid granting Accessibility permissions to document readers, file managers, QR scanners, flashlight apps, wallpaper apps, or other tools that do not clearly need that level of control.

1. Uninstall suspicious document reader or file manager apps.
2. Open Google Play, go to Play Protect, and run a scan.
3. Check Accessibility permissions and remove access from unknown apps.
4. Review SMS, notification, and display-over-other-apps permissions.
5. Change banking and crypto passwords from a trusted device.
6. Enable transaction alerts and report suspicious transfers quickly.

Known indicators of compromise

Type	Indicator	Description
Package name	com.westhorizont.appsforge.filehorizon_explorereaddocuments	Malicious dropper app package
MD5	f72b1a333fa28b133df6476561142d6a	Anatsa installer hash
Payload URL	hxxp://66.206.6[.]6:8080/disclaimer.txt	Payload delivery endpoint
MD5	61d25684e6f42e386f40ee60f5c54dca	Anatsa payload hash
C2 URL	hxxp://162.252.173[.]37:85/api	Anatsa command-and-control server
C2 URL	hxxp://185.215.113[.]108:85/api/	Anatsa command-and-control server
C2 URL	hxxp://193.24.123[.]18:85/api/	Anatsa command-and-control server
MD5	5f85261cf55ed10e73c9b68128092e70	Associated dropper sample
MD5	9b6e5703bb0dc0ce8aa98281d0821642	Associated dropper sample
MD5	a4973b21e77726a88aca1b57af70cc0a	Associated dropper sample
MD5	ed8ea4dc43da437f81bef8d5dc688bdb	Associated dropper sample

What developers and banks can learn from this campaign

Financial app developers should assume that malware may try to read screens, overlay fake login prompts, or automate input through abused accessibility paths.

The Android accessibilityDataSensitive guidance gives developers a newer way to protect sensitive views from unwanted accessibility-based snooping on supported Android versions.

Security teams can also map this behavior to MITRE’s GUI input capture technique when building mobile threat detections, fraud rules, and customer warnings.

The main lesson is straightforward. A clean-looking app listing does not guarantee a safe app, especially when the app later asks for powerful permissions unrelated to its stated purpose.

Users should keep Google Play Protect enabled, install only necessary apps, review recent reviews carefully, and treat unexpected Accessibility requests as a major warning sign.

FAQ