Beware! Malicious Document Reader App in Google Play Installs Anatsa Malware – Delete it Now

A dangerous app on the Google Play Store recently shocked users and security experts. The app was named “Document Reader – File Manager” and appeared to be a simple tool for opening files and managing documents. However, security researchers later discovered that the malicious document reader app was secretly installing Anatsa malware, also known as the TeaBot banking trojan. The app had more than 50,000 downloads, which means thousands of users were exposed before the issue was highlighted.

This malicious app was spotted by researchers at Zscaler ThreatLabz. They found that the app asked users for permissions that were not necessary for normal document reading. Once installed, the app connected to a remote server and downloaded harmful files in the background. The malware then tried to get special permissions that allow it to read sensitive information on the phone.

Beware! Malicious Document Reader App in Google Play Installs Anatsa Malware – Delete it Now

Anatsa is not a new threat. It first appeared in 2020 and has spread to many regions since then. Its main goal is to steal banking details from users. It does this by watching how users type, recording login information, and showing fake screens that look like real banking apps. Once users enter their details, the attackers can access accounts and even perform fraudulent transfers.

Researchers say newer versions of Anatsa target more than 800 financial institutions across the world. Victims from places like Germany, South Korea, and other regions have been affected. The malware has also expanded to target cryptocurrency apps, making the threat even wider.

One reason the malware spread so easily is that the fake app looked legitimate. It had a simple design and basic features, such as opening PDFs or browsing files. But behind the interface, the app downloaded a hidden payload. If everything worked correctly, it turned into a fully active malware tool. If something failed, it showed a working file manager to avoid suspicion.

Once active, Anatsa requested special permissions using accessibility services. These permissions allow apps to read text that appears on the screen and even control parts of the phone. With these permissions, attackers could insert fake screens on top of real banking apps, tricking users into entering passwords and other financial details.

See Also: Confucius Hackers Target Pakistan with WooperStealer and Anondoor Malware

This incident shows that even official app stores can host harmful apps. Google has taken action to remove many dangerous apps in the past. Reports show that more than 70 malicious apps with millions of downloads were removed recently. However, attackers still manage to slip through by disguising harmful code inside useful-looking tools.

Android users should remain alert. It is important to review app permissions, avoid apps with limited information, and check developer profiles. Using security apps and updating phones regularly can also reduce risks.

Security experts advise organizations and users to look out for suspicious activity, including banking alerts, unknown logins, or sudden screen overlays. Staying aware is one of the best ways to stay protected.

This case proves that cybercriminals continue to target mobile devices, and simple apps are often used as a trap. Awareness and careful app selection can help users stay safe from threats like Anatsa.