A misleading Android software lurking within the Google Play Retailer, disguised as a doc reader and file supervisor, however delivering the Anatsa banking trojan to customers.
Cybersecurity agency Zscaler ThreatLabz discovered an app named “Doc Reader – File Supervisor” by developer ISTOQMAH. The app has amassed over 50,000 downloads whereas remaining reside, tricking customers into granting permissions that allow monetary knowledge theft.
This marketing campaign highlights ongoing challenges in securing official app shops towards subtle malware droppers.
Anatsa, also referred to as TeaBot, emerged in 2020 as an Android banking malware specializing in credential theft, keylogging, and fraudulent transactions focusing on monetary apps.
Current variants have expanded to over 831 establishments worldwide, together with new areas like Germany and South Korea, plus cryptocurrency platforms.
The Trojan employs superior evasion techniques, comparable to runtime DES decryption of strings, machine mannequin checks to dodge emulators, and malformed ZIP archives hiding DEX payloads that evade static evaluation instruments.
On this occasion, the dropper app poses as a benign instrument for opening PDFs, scanning paperwork, and managing information, full with an intuitive interface.
Upon set up, it silently fetches the Anatsa payload disguised as an replace from a command-and-control server, bypassing Play Retailer protections. If checks fail, it shows a faux file supervisor to take care of cowl.
As soon as energetic, Anatsa seeks accessibility permissions to auto-grant harmful privileges like SYSTEM_ALERT_WINDOW, READ_SMS, and full-screen intents, then overlays phishing pages tailor-made to detected banking apps.
ThreatLabz detailed particular indicators for this Anatsa wave, aiding detection efforts. The app’s Play Retailer web page promotes it as an “all-in-one resolution” for paperwork, but harbors malicious code.
⚠️ThreatLabz has recognized one other malicious Android app within the Google Play Retailer that’s nonetheless at present reside with over 50K downloads. The app is disguised as a doc reader / file supervisor, however truly downloads the Anatsa trojan. The IOCs beneath can be utilized to determine this… pic.twitter.com/XlhXvgv5Ko— Zscaler ThreatLabz (@Threatlabz) December 8, 2025
This app joins dozens of comparable decoys, with ThreatLabz reporting 77 malicious apps totaling 19 million installs lately faraway from Google Play. Anatsa campaigns regularly use productiveness apps like doc viewers, exploiting belief in utility instruments.
Customers face dangers of stolen banking credentials by way of faux logins or automated fraud, particularly in North America, the place prior strains ranked excessive in “Free Instruments” sections. Google has bolstered Play Defend, however well timed researcher reviews stay essential.
Android homeowners ought to scrutinize app permissions, keep away from unsolicited updates, and use antivirus scanners. Safety groups can leverage these IOCs for community monitoring and machine forensics.
Marketing campaign Indicators
IndicatorValuePackage Namecom.quantumrealm.nexdev.quarkfilerealm_filedoctool G7qS0W6bMAEE2v4.jpgInstaller MD598af36a2ef0b8f87076d1ff2f7dc9585Payload MD5da5e24b1a97faeacf7fb97dbb3a585afDownload URLhttps://quantumfilebreak[.]com/txt.txtC2 Servershttp://185.215.113[.]108:85/api/http://193.24.123[.]18:85/api/http://162.252.173[.]37:85/api/
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
