{"id":306512,"date":"2025-12-09T07:26:08","date_gmt":"2025-12-09T07:26:08","guid":{"rendered":"https:\/\/www.newsbeep.com\/uk\/306512\/"},"modified":"2025-12-09T07:26:08","modified_gmt":"2025-12-09T07:26:08","slug":"malicious-document-reader-app-in-google-play-with-50k-downloads-installs-anatsa-malware","status":"publish","type":"post","link":"https:\/\/www.newsbeep.com\/uk\/306512\/","title":{"rendered":"Malicious Document Reader App in Google Play With 50K Downloads Installs Anatsa Malware"},"content":{"rendered":"

\"Malicious<\/a><\/p>\n

A deceptive Android application lurking in the Google Play Store, disguised as a document reader and file manager, but delivering the Anatsa banking trojan to users. <\/p>\n

Cybersecurity firm Zscaler ThreatLabz found an app named \u201cDocument Reader \u2013 File Manager\u201d by developer ISTOQMAH. The app has amassed over 50,000 downloads while remaining live, tricking users into granting permissions that enable financial data theft<\/a>.<\/p>\n

This campaign highlights ongoing challenges in securing official app stores against sophisticated malware droppers.\u200b<\/p>\n

Anatsa, also known as TeaBot, emerged in 2020 as an Android banking malware specializing in credential theft, keylogging, and fraudulent transactions targeting financial apps.<\/p>\n

Recent variants have expanded to over 831 institutions worldwide, including new regions like Germany and South Korea, plus cryptocurrency platforms.<\/p>\n

The Trojan employs advanced evasion tactics, such as runtime DES decryption of strings, device model checks to dodge emulators, and malformed ZIP archives hiding DEX payloads that evade static analysis tools.\u200b<\/p>\n


\n\"google\"\/<\/a><\/p>\n

In this instance, the dropper app poses as a benign tool for opening PDFs, scanning documents, and managing files, complete with an intuitive interface.<\/p>\n

Upon installation, it silently fetches the Anatsa payload disguised as an update from a command-and-control server, bypassing Play Store protections. If checks fail, it displays a fake file manager to maintain cover.<\/p>\n

Once active, Anatsa seeks accessibility permissions to auto-grant dangerous privileges like SYSTEM_ALERT_WINDOW, READ_SMS, and full-screen intents, then overlays phishing pages tailored to detected banking apps.\u200b<\/p>\n

ThreatLabz detailed specific indicators for this Anatsa wave, aiding detection efforts. The app\u2019s Play Store page promotes it as an \u201call-in-one solution\u201d for documents, yet harbors malicious code.\u200b<\/p>\n

\u26a0\ufe0fThreatLabz has identified another malicious Android app in the Google Play Store that is still currently live with over 50K downloads. The app is disguised as a document reader \/ file manager, but actually downloads the Anatsa trojan. The IOCs below can be used to identify this\u2026 pic.twitter.com\/XlhXvgv5Ko<\/a><\/p>\n

\u2014 Zscaler ThreatLabz (@Threatlabz) December 8, 2025<\/a><\/p>\n

This app joins dozens of similar decoys, with ThreatLabz reporting 77 malicious apps totaling 19 million installs recently removed from Google Play. Anatsa campaigns frequently use productivity apps like document viewers, exploiting trust in utility tools.\u200b<\/p>\n

Users face risks of stolen banking credentials via fake logins or automated fraud, especially in North America, where prior strains ranked high in \u201cFree Tools\u201d sections. Google has bolstered Play Protect, but timely researcher reports remain crucial.<\/p>\n

Android owners should scrutinize app permissions, avoid unsolicited updates, and use antivirus scanners<\/a>. Security teams can leverage these IOCs for network monitoring and device forensics.\u200b<\/p>\n

Campaign Indicators<\/p>\n

IndicatorValuePackage Namecom.quantumrealm.nexdev.quarkfilerealm_filedoctool G7qS0W6bMAEE2v4.jpg\u200bInstaller MD598af36a2ef0b8f87076d1ff2f7dc9585Payload MD5da5e24b1a97faeacf7fb97dbb3a585afDownload URLhttps:\/\/quantumfilebreak[.]com\/txt.txtC2 Servershttp:\/\/185.215.113[.]108:85\/api\/
http:\/\/193.24.123[.]18:85\/api\/
http:\/\/162.252.173[.]37:85\/api\/ \u200b<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/p>\n


\n\"googlenews\"\/<\/a>