A dangerous Android banking trojan is once again spreading through the Google Play Store, hiding inside what appears to be a simple document reader app.
The app has already been downloaded more than 100,000 times, putting a large number of Android users at serious risk of financial theft and personal data loss.
The malware in question is Anatsa, also known as TeaBot, which first appeared in 2020. Since its early days, it has steadily evolved into one of the more sophisticated Android banking threats discovered in the wild.
It is built to steal banking credentials, log keystrokes, and carry out fraudulent transactions, all without the victim ever realizing anything is wrong.
The latest variant has expanded its reach to target more than 831 financial institutions across the globe, including banking apps, investment platforms, and cryptocurrency services.
Researchers from Zscaler ThreatLabz, who shared their findings in a report with Cyber Security News (CSN), identified the malicious app as a dropper disguised as a file manager and document reader tool.
According to the report, the app follows a now-familiar playbook: it appears completely harmless when first installed, then quietly pulls down the actual Anatsa payload from a remote server in the background.
This method helps it slip past the security checks Google performs on apps before they ever go live in the Play Store.
What makes this campaign particularly stand out is how well the app maintains its cover.
If the malware detects it is running inside an analysis environment, or if it cannot reach its command-and-control server, it simply shows a working file manager interface to the user.
There is no obvious sign that anything malicious is happening, which is exactly what makes it so difficult to catch early.
Once the payload is fully installed and active, Anatsa requests accessibility permissions from the user.
If granted, the malware quietly enables a wide range of additional permissions, including the ability to read and receive SMS messages, display system alerts, and run in full-screen mode.
These permissions give it the access it needs to silently monitor everything the user does on their device.
Fake Document Reader in The Google Play Store
The app listed on the Play Store under the package name com.westhorizont.appsforge.filehorizon_explorereaddocuments presented itself as a legitimate file management and document reading tool.
Once downloaded, the installer connects to a remote server and, if the device passes its checks, downloads the full Anatsa banking trojan payload disguised as a routine app update.
To make detection even harder, the installer uses runtime string decryption powered by a dynamically generated DES key.
The payload is hidden inside a corrupted ZIP archive with invalid compression and encryption flags, which causes most static analysis tools to fail completely.
The package name and installation hash are also rotated periodically to avoid being flagged by security systems that track known identifiers.
Credential Theft and Targeted Banking Overlays
Once Anatsa is fully active on a device, it begins watching for the user to open any banking or financial app.
When it detects one, it overlays a fake login screen that mirrors the real app, tricking the user into entering their credentials directly into the malware.
These fake pages are downloaded fresh from the C2 server and are tailored to whichever financial app is found on the device.
The trojan also runs a built-in keylogger that records everything the user types, and it encrypts all communication with its C2 server using a single-byte XOR key to keep its traffic well hidden from network monitoring tools.
To stay safe, Android users should carefully review the permissions any app requests before granting them. If a document reader is asking for access to SMS messages or accessibility settings, that is a clear red flag.
It is also wise to stick to apps from verified developers, read recent user reviews before installing, and keep Google Play Protect enabled at all times on the device.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| MD5 Hash | f72b1a333fa28b133df6476561142d6a | Anatsa installer MD5 hash |
| URL | http://66.206.6[.]6:8080/disclaimer.txt | Payload delivery URL |
| MD5 Hash | 61d25684e6f42e386f40ee60f5c54dca | Anatsa payload MD5 hash |
| C2 URL | http://162.252.173[.]37:85/api | Anatsa C2 server |
| C2 URL | http://185.215.113[.]108:85/api/ | Anatsa C2 server |
| C2 URL | http://193.24.123[.]18:85/api/ | Anatsa C2 server |
| Package Name | com.westhorizont.appsforge.filehorizon_explorereaddocuments | Malicious dropper app on Google Play |
| MD5 Hash | 5f85261cf55ed10e73c9b68128092e70 | Associated Anatsa dropper sample |
| MD5 Hash | 9b6e5703bb0dc0ce8aa98281d0821642 | Associated Anatsa dropper sample |
| MD5 Hash | a4973b21e77726a88aca1b57af70cc0a | Associated Anatsa dropper sample |
| MD5 Hash | ed8ea4dc43da437f81bef8d5dc688bdb | Associated Anatsa dropper sample |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
