Fake document reader on Google Play installs Anatsa banking malware
6 min. read 
Published on
A fake document reader app on Google Play has been linked to a new Anatsa banking malware campaign that exposed thousands of Android users to credential theft and financial fraud.
The app passed Google Play review as a normal file reader, then used a dropper-style infection chain to download and install the Anatsa payload later. According to the shared campaign details, the app had more than 10,000 downloads before Google removed it from the Play Store.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Anatsa is a known Android banking trojan that has been active since 2020. It can steal banking credentials, monitor keystrokes, display fake login screens over real banking apps, and support fraudulent transactions.
What happened
The malicious app was disguised as a document reader and file manager. It used the package name com.groundstation.informationcontrol.filestation_browsefiles_readdocs.
Once installed, the app appeared harmless. This helped it avoid early suspicion from users and automated checks.
In the background, it connected to a remote server and downloaded the Anatsa payload from http://23.251.108[.]10:8080/privacy.txt. This second-stage delivery gave the attackers a way to keep the Play Store app looking clean at first.
| Detail | Information |
|---|---|
| Malware family | Anatsa, also known as TeaBot |
| Platform | Android |
| Distribution method | Fake document reader on Google Play |
| Reported downloads | More than 10,000 |
| Package name | com.groundstation.informationcontrol.filestation_browsefiles_readdocs |
| Main risk | Banking credential theft and fraudulent transactions |
| Payload delivery | Remote download after installation |
How the attack works
The app uses a common mobile malware trick. It behaves like a normal utility first, then downloads the real malicious payload after installation.
This matters because app store reviews often inspect the submitted app package. If the first-stage app does not contain obvious banking malware behavior, attackers may get more time before detection.
Anatsa campaigns have used this dropper method before. Zscaler ThreatLabz previously reported that Anatsa apps often masquerade as PDF readers, QR code readers, document readers, and file tools to attract downloads from users who think they are installing harmless utilities.
What Anatsa can do after infection
After the payload runs, Anatsa pushes users to grant Accessibility permissions. That request should raise immediate concern because document readers do not need Accessibility access to open files.
If the user approves the permission, Anatsa can gain stronger control over the device. It can display overlays, intercept SMS messages, capture input, and interfere with legitimate banking app screens.
The malware uses fake login pages to steal credentials. When a victim opens a targeted banking app, Anatsa can show a fraudulent page on top of the real app and trick the user into entering private information.
| Malware capability | Why it is dangerous |
|---|---|
| Accessibility abuse | Gives the malware control over screen actions |
| Overlay attacks | Shows fake login pages over real banking apps |
| SMS interception | Helps steal OTPs and verification codes |
| Keystroke monitoring | Captures sensitive user input |
| Device checks | Helps avoid sandboxes and analysis systems |
| Runtime payload loading | Makes static detection harder |
| Encrypted C2 traffic | Hides communication with attacker servers |
Why the app was hard to detect
The campaign used several evasion techniques. The payload was not fully active at the moment of installation, which helped the app look less suspicious.
The malware also checked the device environment before deploying the final payload. If it detected a test device, emulator, or sandbox, it could show a clean file manager interface instead of launching malicious activity.
The payload also hid its DEX file inside a malformed ZIP structure with invalid compression flags. This type of trick can make static analysis harder because security tools may struggle to unpack and inspect the file correctly.
Why this campaign matters
This incident shows that Android users cannot rely only on the fact that an app appears on Google Play. Attackers continue to abuse utility categories because file readers, scanners, editors, and managers look ordinary and attract broad user interest.
Zscaler has reported that Anatsa’s latest variants target more than 831 financial institutions worldwide, including banking apps and cryptocurrency platforms. That makes any new Anatsa campaign a serious risk for users who manage money from Android devices.
The fake document reader also follows a familiar pattern. The app gains trust as a simple utility, waits until it reaches real users, then downloads the banking trojan later.
Indicators of compromise
| Indicator | Type |
|---|---|
com.groundstation.informationcontrol.filestation_browsefiles_readdocs | Malicious app package |
5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20 | Installer SHA256 |
88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f | Payload SHA256 |
23.251.108[.]10:8080/privacy.txt | Payload URL |
172.86.91[.]94/api/ | C2 server |
193.24.123[.]18:85/api/ | C2 server |
162.252.173[.]37:85/api/ | C2 server |
What Android users should do now
Users who installed the affected document reader should uninstall it immediately. They should also scan the device with Google Play Protect or a trusted mobile security app.
Anyone who used banking apps on the same device should change passwords from a clean device. They should also contact their bank if they notice unusual logins, OTP messages, or transactions.
Users should review app permissions carefully. A document reader should not ask for Accessibility access, SMS access, full-screen overlay permission, or control over other apps.
- Keep Google Play Protect enabled.
- Avoid document readers from unknown developers.
- Do not approve Accessibility permissions for file readers or PDF tools.
- Review app ratings, developer history, and recent reviews before installing.
- Remove apps that request permissions unrelated to their purpose.
- Update Android and banking apps regularly.
- Enable transaction alerts from your bank.
- Use a clean device to change passwords after suspected infection.
What security teams should monitor
Enterprise security teams should look for the affected package name, hashes, payload URL, and C2 servers across managed Android fleets.
Mobile threat defense tools should flag apps that download executable payloads after installation, request Accessibility access without a clear reason, or contact suspicious IP-based infrastructure.
Security teams should also educate users about utility-app malware. A simple document reader can become a banking risk if it downloads code, requests powerful permissions, or overlays other apps.
FAQ
Anatsa is an Android banking trojan also known as TeaBot. It steals financial credentials, captures user input, displays fake login screens, and helps attackers perform fraudulent banking activity.
Yes. The fake document reader was found on Google Play and reportedly passed 10,000 downloads before removal.
Uninstall the app, run a security scan, change banking passwords from another device, and contact your bank if you see suspicious activity.
Accessibility permission can let malware read screen content, control taps, capture input, and interact with apps. A document reader normally has no valid reason to request it.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages