CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 25, 2026

Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware

Cybersecurity News Archived Jun 25, 2026 ✓ Full text saved

A dangerous Android banking trojan is once again spreading through the Google Play Store, hiding inside what appears to be a simple document reader app. The app has already been downloaded more than 100,000 times, putting a large number of Android users at serious risk of financial theft and personal data loss. The malware in […] The post Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware By Tushar Subhra Dutta June 24, 2026 A dangerous Android banking trojan is once again spreading through the Google Play Store, hiding inside what appears to be a simple document reader app. The app has already been downloaded more than 100,000 times, putting a large number of Android users at serious risk of financial theft and personal data loss. The malware in question is Anatsa, also known as TeaBot, which first appeared in 2020. Since its early days, it has steadily evolved into one of the more sophisticated Android banking threats discovered in the wild. It is built to steal banking credentials, log keystrokes, and carry out fraudulent transactions, all without the victim ever realizing anything is wrong. The latest variant has expanded its reach to target more than 831 financial institutions across the globe, including banking apps, investment platforms, and cryptocurrency services. Researchers from Zscaler ThreatLabz, who shared their findings in a report with Cyber Security News (CSN), identified the malicious app as a dropper disguised as a file manager and document reader tool. ⚠️ THREATLABZ DISCOVERED ANOTHER FAKE DOCUMENT READER IN THE GOOGLE PLAY STORE WITH MORE THAN 100K DOWNLOADS, WHICH DELIVERS THE ANATSA ANDROID TROJAN. ANATSA INSTALLER MD5 HASH: F72B1A333FA28B133DF6476561142D6A PAYLOAD URL: HTTP://66.206.6[.]6:8080/DISCLAIMER.TXT ANATSA… PIC.TWITTER.COM/YWF12H5UFB — Zscaler ThreatLabz (@Threatlabz) June 22, 2026 According to the report, the app follows a now-familiar playbook: it appears completely harmless when first installed, then quietly pulls down the actual Anatsa payload from a remote server in the background. This method helps it slip past the security checks Google performs on apps before they ever go live in the Play Store. What makes this campaign particularly stand out is how well the app maintains its cover. If the malware detects it is running inside an analysis environment, or if it cannot reach its command-and-control server, it simply shows a working file manager interface to the user. There is no obvious sign that anything malicious is happening, which is exactly what makes it so difficult to catch early. Once the payload is fully installed and active, Anatsa requests accessibility permissions from the user. If granted, the malware quietly enables a wide range of additional permissions, including the ability to read and receive SMS messages, display system alerts, and run in full-screen mode. These permissions give it the access it needs to silently monitor everything the user does on their device. Fake Document Reader in The Google Play Store The app listed on the Play Store under the package name com.westhorizont.appsforge.filehorizon_explorereaddocuments presented itself as a legitimate file management and document reading tool. Once downloaded, the installer connects to a remote server and, if the device passes its checks, downloads the full Anatsa banking trojan payload disguised as a routine app update. To make detection even harder, the installer uses runtime string decryption powered by a dynamically generated DES key. The payload is hidden inside a corrupted ZIP archive with invalid compression and encryption flags, which causes most static analysis tools to fail completely. The package name and installation hash are also rotated periodically to avoid being flagged by security systems that track known identifiers. Credential Theft and Targeted Banking Overlays Once Anatsa is fully active on a device, it begins watching for the user to open any banking or financial app. When it detects one, it overlays a fake login screen that mirrors the real app, tricking the user into entering their credentials directly into the malware. These fake pages are downloaded fresh from the C2 server and are tailored to whichever financial app is found on the device. The trojan also runs a built-in keylogger that records everything the user types, and it encrypts all communication with its C2 server using a single-byte XOR key to keep its traffic well hidden from network monitoring tools. To stay safe, Android users should carefully review the permissions any app requests before granting them. If a document reader is asking for access to SMS messages or accessibility settings, that is a clear red flag. It is also wise to stick to apps from verified developers, read recent user reviews before installing, and keep Google Play Protect enabled at all times on the device. Indicators of Compromise (IoCs):- Type Indicator Description MD5 Hash f72b1a333fa28b133df6476561142d6a Anatsa installer MD5 hash URL http://66.206.6[.]6:8080/disclaimer.txt Payload delivery URL MD5 Hash 61d25684e6f42e386f40ee60f5c54dca Anatsa payload MD5 hash C2 URL http://162.252.173[.]37:85/api Anatsa C2 server C2 URL http://185.215.113[.]108:85/api/ Anatsa C2 server C2 URL http://193.24.123[.]18:85/api/ Anatsa C2 server Package Name com.westhorizont.appsforge.filehorizon_explorereaddocuments Malicious dropper app on Google Play MD5 Hash 5f85261cf55ed10e73c9b68128092e70 Associated Anatsa dropper sample MD5 Hash 9b6e5703bb0dc0ce8aa98281d0821642 Associated Anatsa dropper sample MD5 Hash a4973b21e77726a88aca1b57af70cc0a Associated Anatsa dropper sample MD5 Hash ed8ea4dc43da437f81bef8d5dc688bdb Associated Anatsa dropper sample Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News GhostShell Malware Uses mTLS Implant and Telegram Dead-Drop to Target Ukrainian Drone Operations Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours Hackers Can Leverage SQL Server 2025 AI Features to Exfiltrate Sensitive Data Malicious Edge Extension Uses Chrome Native Messaging to Execute Code on Victim Systems FBI Warns Cybercriminals Use Traffic Distribution Systems to Redirect Users to Fraudulent Websites Latest News ANY.RUN EvilTokens Hides Its Attack Flow in the Browser, Exposing Static Analysis Gaps   Cyber Security Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access Cyber Security Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation Cyber Security News Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users Cyber Security News PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 25, 2026
    Archived
    Jun 25, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗