Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware
Cybersecurity NewsArchived Jun 25, 2026✓ Full text saved
A dangerous Android banking trojan is once again spreading through the Google Play Store, hiding inside what appears to be a simple document reader app. The app has already been downloaded more than 100,000 times, putting a large number of Android users at serious risk of financial theft and personal data loss. The malware in […] The post Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware
By Tushar Subhra Dutta
June 24, 2026
A dangerous Android banking trojan is once again spreading through the Google Play Store, hiding inside what appears to be a simple document reader app.
The app has already been downloaded more than 100,000 times, putting a large number of Android users at serious risk of financial theft and personal data loss.
The malware in question is Anatsa, also known as TeaBot, which first appeared in 2020. Since its early days, it has steadily evolved into one of the more sophisticated Android banking threats discovered in the wild.
It is built to steal banking credentials, log keystrokes, and carry out fraudulent transactions, all without the victim ever realizing anything is wrong.
The latest variant has expanded its reach to target more than 831 financial institutions across the globe, including banking apps, investment platforms, and cryptocurrency services.
Researchers from Zscaler ThreatLabz, who shared their findings in a report with Cyber Security News (CSN), identified the malicious app as a dropper disguised as a file manager and document reader tool.
⚠️ THREATLABZ DISCOVERED ANOTHER FAKE DOCUMENT READER IN THE GOOGLE PLAY STORE WITH MORE THAN 100K DOWNLOADS, WHICH DELIVERS THE ANATSA ANDROID TROJAN.
ANATSA INSTALLER MD5 HASH: F72B1A333FA28B133DF6476561142D6A
PAYLOAD URL: HTTP://66.206.6[.]6:8080/DISCLAIMER.TXT
ANATSA… PIC.TWITTER.COM/YWF12H5UFB
— Zscaler ThreatLabz (@Threatlabz) June 22, 2026
According to the report, the app follows a now-familiar playbook: it appears completely harmless when first installed, then quietly pulls down the actual Anatsa payload from a remote server in the background.
This method helps it slip past the security checks Google performs on apps before they ever go live in the Play Store.
What makes this campaign particularly stand out is how well the app maintains its cover.
If the malware detects it is running inside an analysis environment, or if it cannot reach its command-and-control server, it simply shows a working file manager interface to the user.
There is no obvious sign that anything malicious is happening, which is exactly what makes it so difficult to catch early.
Once the payload is fully installed and active, Anatsa requests accessibility permissions from the user.
If granted, the malware quietly enables a wide range of additional permissions, including the ability to read and receive SMS messages, display system alerts, and run in full-screen mode.
These permissions give it the access it needs to silently monitor everything the user does on their device.
Fake Document Reader in The Google Play Store
The app listed on the Play Store under the package name com.westhorizont.appsforge.filehorizon_explorereaddocuments presented itself as a legitimate file management and document reading tool.
Once downloaded, the installer connects to a remote server and, if the device passes its checks, downloads the full Anatsa banking trojan payload disguised as a routine app update.
To make detection even harder, the installer uses runtime string decryption powered by a dynamically generated DES key.
The payload is hidden inside a corrupted ZIP archive with invalid compression and encryption flags, which causes most static analysis tools to fail completely.
The package name and installation hash are also rotated periodically to avoid being flagged by security systems that track known identifiers.
Credential Theft and Targeted Banking Overlays
Once Anatsa is fully active on a device, it begins watching for the user to open any banking or financial app.
When it detects one, it overlays a fake login screen that mirrors the real app, tricking the user into entering their credentials directly into the malware.
These fake pages are downloaded fresh from the C2 server and are tailored to whichever financial app is found on the device.
The trojan also runs a built-in keylogger that records everything the user types, and it encrypts all communication with its C2 server using a single-byte XOR key to keep its traffic well hidden from network monitoring tools.
To stay safe, Android users should carefully review the permissions any app requests before granting them. If a document reader is asking for access to SMS messages or accessibility settings, that is a clear red flag.
It is also wise to stick to apps from verified developers, read recent user reviews before installing, and keep Google Play Protect enabled at all times on the device.
Indicators of Compromise (IoCs):-
Type Indicator Description
MD5 Hash f72b1a333fa28b133df6476561142d6a Anatsa installer MD5 hash
URL http://66.206.6[.]6:8080/disclaimer.txt Payload delivery URL
MD5 Hash 61d25684e6f42e386f40ee60f5c54dca Anatsa payload MD5 hash
C2 URL http://162.252.173[.]37:85/api Anatsa C2 server
C2 URL http://185.215.113[.]108:85/api/ Anatsa C2 server
C2 URL http://193.24.123[.]18:85/api/ Anatsa C2 server
Package Name com.westhorizont.appsforge.filehorizon_explorereaddocuments Malicious dropper app on Google Play
MD5 Hash 5f85261cf55ed10e73c9b68128092e70 Associated Anatsa dropper sample
MD5 Hash 9b6e5703bb0dc0ce8aa98281d0821642 Associated Anatsa dropper sample
MD5 Hash a4973b21e77726a88aca1b57af70cc0a Associated Anatsa dropper sample
MD5 Hash ed8ea4dc43da437f81bef8d5dc688bdb Associated Anatsa dropper sample
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
GhostShell Malware Uses mTLS Implant and Telegram Dead-Drop to Target Ukrainian Drone Operations
Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours
Hackers Can Leverage SQL Server 2025 AI Features to Exfiltrate Sensitive Data
Malicious Edge Extension Uses Chrome Native Messaging to Execute Code on Victim Systems
FBI Warns Cybercriminals Use Traffic Distribution Systems to Redirect Users to Fraudulent Websites
Latest News
ANY.RUN
EvilTokens Hides Its Attack Flow in the Browser, Exposing Static Analysis Gaps
Cyber Security
Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access
Cyber Security
Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation
Cyber Security News
Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users
Cyber Security News
PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability