• Home
  • cyber
  • Android Users: 10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan
cyber Cyber Attack

Android Users: 10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Apr 28, 2026 2 min read
Android Users: 10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Fake Google Play App Delivers Anatsa Banking Trojan to Thousands of Android Users

Security researchers at ThreatLabz have exposed a malicious app on the Google Play Store that disguised itself as a legitimate document reader while secretly deploying the Anatsa banking trojan. The app, identified under the package name com.groundstation.informationcontrol.filestation_browsefiles_readdocs, amassed over 10,000 downloads before Google removed it leaving thousands of users vulnerable to financial fraud and data theft.

The threat actors employed a "dropper" technique, a common evasion tactic that keeps malicious code hidden during Google Play’s initial security review. The app appeared benign upon download but later fetched the Anatsa payload from an external server, masquerading as a harmless text file to avoid detection.

Once installed, the trojan exploited Android’s Accessibility Services to gain elevated permissions, enabling it to monitor screen activity, log keystrokes, and interact with the device undetected. When users opened banking apps, Anatsa launched invisible overlay attacks, displaying fake login screens to harvest credentials and multi-factor authentication codes. The malware’s ability to operate from a trusted device allowed it to bypass traditional fraud detection, enabling attackers to initiate unauthorized transactions directly from compromised accounts.

ThreatLabz provided Indicators of Compromise (IoCs) for cybersecurity teams to identify and block infections, including the app’s SHA256 hash (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), payload URLs, and command-and-control (C2) servers linked to the campaign. The incident underscores the persistent risk of trojanized apps slipping through official app store defenses.

Source: https://cyberpress.org/anatsa-trojan-hits-android/

Android Users TPRM report: https://www.rankiteo.com/company/oversecured

"id": "ove1777365206",
"linkid": "oversecured",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': '10,000+',
                        'industry': 'General public',
                        'location': 'Global',
                        'name': 'Google Play Store users',
                        'size': 'Over 10,000 downloads',
                        'type': 'Individuals'}],
 'attack_vector': 'Malicious app (Dropper technique)',
 'data_breach': {'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Banking credentials, MFA codes, '
                                             'personally identifiable '
                                             'information'},
 'description': 'Security researchers at ThreatLabz have exposed a malicious '
                'app on the Google Play Store that disguised itself as a '
                'legitimate document reader while secretly deploying the '
                'Anatsa banking trojan. The app amassed over 10,000 downloads '
                'before Google removed it, leaving thousands of users '
                'vulnerable to financial fraud and data theft.',
 'impact': {'data_compromised': 'Banking credentials, multi-factor '
                                'authentication codes',
            'identity_theft_risk': 'High',
            'payment_information_risk': 'High',
            'systems_affected': 'Android devices'},
 'initial_access_broker': {'entry_point': 'Malicious Google Play app',
                           'high_value_targets': 'Banking app users'},
 'lessons_learned': 'Persistent risk of trojanized apps slipping through '
                    'official app store defenses; need for enhanced security '
                    'reviews and user awareness.',
 'motivation': 'Financial fraud, data theft',
 'post_incident_analysis': {'corrective_actions': 'Enhanced app review '
                                                  'processes, user education '
                                                  'on app security, and '
                                                  'implementation of IoCs for '
                                                  'detection.',
                            'root_causes': 'Dropper technique evaded initial '
                                           'security review; exploitation of '
                                           'Android Accessibility Services for '
                                           'elevated permissions.'},
 'recommendations': 'Users should avoid downloading apps from untrusted '
                    'sources, enable multi-factor authentication, and monitor '
                    'banking transactions for unauthorized activity. '
                    'Organizations should implement Indicators of Compromise '
                    '(IoCs) to detect and block infections.',
 'references': [{'source': 'ThreatLabz'}],
 'response': {'containment_measures': 'Google removed the malicious app from '
                                      'the Play Store',
              'third_party_assistance': 'ThreatLabz (security researchers)'},
 'title': 'Fake Google Play App Delivers Anatsa Banking Trojan to Thousands of '
          'Android Users',
 'type': 'Malware (Banking Trojan)',
 'vulnerability_exploited': 'Android Accessibility Services'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.