Fake Document Reader Delivers Anatsa Trojan to 10K Android Users
In a sobering reminder that official marketplaces are not infallible, a sophisticated malicious application masquerading as a legitimate document reader utility was recently detected on the Google Play Store. This wasn’t just a simple piece of adware; the application served as a delivery vehicle for Anatsa (also known as TeaBot), a potent Android banking trojan designed for high-stakes financial theft.
By the time the application was flagged and removed, it had already achieved over 10,000 installations. This significant infection window highlights a persistent challenge in mobile security: the ability of threat actors to exploit the inherent trust users place in established ecosystems like Google Play.
The Mechanics of Deception: A Multi-Stage Attack
The attack follows a classic “dropper” methodology. Rather than deploying its most damaging code immediately—which might trigger automated heuristic scanners—the initial application acted as a benign facade. Once the application was installed on a user’s device, it initiated a secondary stage, reaching out to a remote server to pull down the actual Anatsa payload.
To further evade detection and bypass basic network monitoring, the attackers utilized deceptive naming conventions. The payload was hosted under a filename titled privacy.txt, a tactic designed to blend in with standard web traffic.
Technical Indicators (IOCs)
For security researchers and SOC analysts, the following indicators are critical for identifying compromised environments:
- Installer SHA256:
5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20 - Malicious Payload URL:
http://23.251.108[.]10:8080/privacy.txt - Payload SHA256:
88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f - Command & Control (C2) Endpoints:
http://172.86.91[.]94/api/http://193.24.123[.]18:85/api/http://162.252.173[.]37:85/api/
Anatsa’s Lethal Capability Set
Anatsa is not a “smash and grab” malware; it is a highly surgical tool designed to compromise the integrity of mobile banking. Once a device is under its control, it leverages several advanced techniques:
- Overlay Attacks: The malware injects fake login screens over legitimate banking applications, tricking users into entering their credentials directly into the attacker’s hands.
- Accessibility Service Abuse: This is a critical escalation vector. By tricking users into enabling Accessibility Services, Anatsa can “read” the screen, simulate user clicks, and interact with other apps without user intervention.
- Data Exfiltration: Through keylogging and real-time screen captures, the attackers harvest sensitive data.
- SMS Interception: To bypass Multi-Factor Authentication (MFA), the trojan intercepts SMS messages, allowing attackers to steal One-Time Passwords (OTPs) and authorize fraudulent transactions.
The Evolving Threat Landscape & Defense Strategies
This incident underscores a broader trend in mobile malware: the shift toward dynamic payload loading. By separating the “wrapper” (the app in the store) from the “payload” (the actual malware), attackers can pass initial automated security scans that look for known malicious patterns, only deploying the threat once the app is safely on a victim’s device.
While Google Play Protect remains a vital line of defense, it is not a silver bullet. Security must be treated as a layered approach involving both systemic solutions and user vigilance.
Recommended Security Posture
- Practice Developer Skepticism: Be wary of utility apps (document readers, calculators, cleaners) from developers with little history or vague credentials.
- Audit Permissions Rigorously: If a simple document reader requests “Accessibility Services” or “SMS Access,” it is a major red flag. Deny these requests and uninstall the app.
- Deploy Mobile Threat Defense (MTD): For organizations, implementing MTD solutions that look for behavioral anomalies (rather than just static signatures) is essential.
- Maintain Hygiene: Ensure your OS and security patches are up to date to close known vulnerabilities that malware might exploit for privilege escalation.