A seemingly harmless utility on the Google Play Store, titled Document Viewer – File Reader, has been found distributing the sophisticated Anatsa banking Trojan to Android users. Security firm ThreatFabric discovered that the app initially operated as a normal file viewer before receiving a delayed update containing malicious code. This staged approach helped the app bypass Google Play’s security screening and accumulate more than 50,000 installations, with some estimates suggesting the number climbed close to 90,000.
Google has since removed the app and banned the associated developer account, but the campaign underscores the persistence and evolution of banking malware hiding inside official app marketplaces.
Key Takeaways
- Malicious App: Document Viewer – File Reader was used as a dropper for the Anatsa Trojan.
- Scale of Impact: More than 50,000 confirmed downloads.
- Malware: Anatsa (also known as TeaBot or Toddler) steals banking credentials and can execute fraudulent transactions.
- Attack Method: The app behaved normally at first, then delivered malware disguised as a fake “PDF update.”
- Target Region: Primarily banking customers in the United States and Canada.
- Mitigation: Google removed the app and Play Protect now blocks known Anatsa variants.
The Threat Posed by Anatsa
Anatsa is one of the most advanced Android banking Trojans active today, operating since at least 2020. It is designed to infiltrate financial apps, harvest credentials, and automate unauthorized transactions.
The malware relies heavily on overlay attacks, where a fake login screen is displayed on top of a legitimate banking app. The user unknowingly enters sensitive information, which is immediately forwarded to attackers.
Once the malware gains access to Android Accessibility Services, it obtains near-complete control over the device, enabling:
- Keylogging
- Screen monitoring
- Automatic transaction execution
- Interception of multi-factor authentication prompts
ThreatFabric notes that Anatsa can initiate fraudulent transfers in real time without requiring the victim to perform any action beyond granting permissions.
How the Attack Unfolded
- Benign Initial Submission
The attacker uploaded a fully functional and harmless document viewer to the Google Play Store. It performed as advertised, drawing no suspicion and passing automated security checks.
- Rapid User Growth
The app climbed Play Store rankings, especially in the US Tools category, achieving over 50,000 downloads.
- Malicious Update Delivery
Approximately six weeks after publication, the developer pushed an update described as a PDF engine upgrade or text recognizer add-on. This was the actual dropper containing code to fetch and install the Anatsa payload.
- Device Takeover
Once downloaded, Anatsa requested access to Accessibility Services. Granting this permission gives the malware the capability to:
- Capture banking credentials
- Control the UI
- Approve fraudulent transactions
- Interact with other installed apps
- Evasion Measures
When victims attempted to open their banking apps, they were shown a fake Scheduled Maintenance screen to prevent them from noticing fraudulent activity or contacting their bank.
Protecting Yourself from Banking Trojans
- Check App Permissions
Document reader apps should never need Accessibility Services or broad system control. - Validate Developers
Avoid apps from unknown or single-app developers with generic names. - Review Recent Ratings
Look for red flags such as sudden negative reviews, unexpected behavior, or permission complaints. - Keep Play Protect On
Google Play Protect scans apps before installation and periodically checks for harmful behavior. - Avoid Side-loading
Install apps only from reputable sources.
Related FAQs
Q1: What is a banking Trojan?
A1: A banking Trojan is malicious software engineered to steal financial login data, payment card details, and account information. Attackers commonly use overlay screens, keylogging, and device control to compromise banking apps.
Q2: Why do hackers abuse Android Accessibility Services?
A2: Accessibility Services offer capabilities like reading screen content and interacting with other apps. Once granted, malware gains near-total device control, allowing credential theft and automated fraudulent transactions.
Q3: How does the dropper method work?
A3: Attackers publish a clean app to gain user trust and pass security checks. After the user base grows, an update delivers the real malicious payload. This delayed attack helps malware evade detection mechanisms such as Google Play Protect.
