Malicious Document Reader App on Google Play Infects Over 50,000 Devices with Anatsa Banking Trojan
A deceptive Android application, masquerading as a document reader and file manager, has been identified on the Google Play Store, infecting over 50,000 devices with the Anatsa banking trojan. This discovery underscores the persistent challenges in securing official app stores against sophisticated malware threats.
Discovery and Impact
Cybersecurity firm Zscaler ThreatLabz uncovered the malicious app named Document Reader – File Manager, developed by ISTOQMAH. Despite its seemingly legitimate functionality, the app clandestinely installs the Anatsa malware, compromising users’ financial data. This incident highlights the ongoing struggle to maintain the integrity of app stores against evolving cyber threats.
Anatsa Malware: A Persistent Threat
Anatsa, also known as TeaBot, first emerged in 2020 as an Android banking malware specializing in credential theft, keylogging, and executing fraudulent transactions targeting financial applications. Recent variants have expanded their reach to over 831 financial institutions worldwide, including regions like Germany and South Korea, as well as cryptocurrency platforms.
The malware employs advanced evasion techniques, such as runtime DES decryption of strings, device model checks to avoid emulators, and the use of malformed ZIP archives to conceal DEX payloads, effectively evading static analysis tools.
Mechanism of Infection
In this instance, the dropper app presents itself as a benign tool for opening PDFs, scanning documents, and managing files, complete with an intuitive interface. Upon installation, it silently retrieves the Anatsa payload, disguised as an update, from a command-and-control server, thereby bypassing Play Store protections. If certain checks fail, the app displays a fake file manager interface to maintain its cover.
Once activated, Anatsa requests accessibility permissions to automatically grant itself dangerous privileges, such as SYSTEM_ALERT_WINDOW, READ_SMS, and full-screen intents. It then overlays phishing pages tailored to detected banking apps, effectively capturing users’ credentials.
Indicators of Compromise
ThreatLabz has provided specific indicators to aid in the detection of this Anatsa campaign:
– Package Name: com.quantumrealm.nexdev.quarkfilerealm_filedoctool
– Installer MD5: 98af36a2ef0b8f87076d1ff2f7dc9585
– Payload MD5: da5e24b1a97faeacf7fb97dbb3a585af
– Download URL: https://quantumfilebreak[.]com/txt.txt
– Command and Control Servers:
– http://185.215.113[.]108:85/api/
– http://193.24.123[.]18:85/api/
– http://162.252.173[.]37:85/api/
Broader Implications
This app is part of a larger trend, with ThreatLabz reporting 77 malicious apps totaling 19 million installs recently removed from Google Play. Anatsa campaigns frequently exploit productivity apps like document viewers, leveraging users’ trust in utility tools.
Users face significant risks, including stolen banking credentials through fake logins or automated fraud, especially in North America, where previous strains ranked high in Free Tools sections. While Google has enhanced Play Protect, timely reports from researchers remain crucial in combating these threats.
Recommendations for Users
Android users are advised to:
– Scrutinize app permissions carefully.
– Avoid installing unsolicited updates.
– Utilize reputable antivirus scanners.
Security teams can leverage the provided indicators for network monitoring and device forensics to detect and mitigate such threats.
