A Google Play App with Over 50,000 Downloads Found Distributing the Anatsa Banking Trojan

Even the official Google Play Store can sometimes fall victim to cybercriminals’ tactics. Experts from Zscaler ThreatLabz recently discovered that an app called “Document Reader – File Manager”, which had been downloaded more than 50,000 times, was actually distributing the dangerous Anatsa (TeaBot) banking trojan.

A seemingly harmless document reader

The app presented itself as a convenient tool for reading PDFs, scanning documents, and managing files. Its interface looked completely ordinary, raising no suspicion among users.
However, once installed, the app silently downloaded a malicious payload disguised as an “update” in the background. This process even bypassed Google Play’s protection mechanisms.

If the malicious file failed to download, the app continued functioning as a normal document reader, keeping the user unaware of any malicious activity.

Anatsa — a dangerous trojan that steals banking data

Active since 2020, the Anatsa trojan has posed significant risks to Android users. Its capabilities include:

  • stealing login credentials from banking apps
  • reading verification codes received via SMS
  • monitoring on-screen activity
  • performing fraudulent transactions on behalf of the victim
  • displaying fake windows mimicking banking apps to steal information

Recent versions have expanded their targeting scope to more than 800 banks and financial institutions worldwide, including cryptocurrency services.

Dangerous permissions increased the threat

The app requested several high-risk permissions from users:

  • Accessibility Service – for automated control
  • Read SMS – to capture banking verification codes
  • Draw over other apps – to display fake screens over real banking applications

These permissions allowed Anatsa to easily steal sensitive information entered into banking apps.

The rise of malicious apps on Google Play

This case is not isolated. ThreatLabz recently reported the removal of 77 malicious apps from Google Play, which collectively accumulated over 19 million downloads.
Most of these harmful apps disguise themselves under names like “document reader,” “file manager,” “phone booster,” and other seemingly useful utilities.

Indicators of Compromise (IOCs)

  • Package name: com.quantumrealm.nexdev.quarkfilerealm_filedoctool
  • Installer MD5: 98af36a2ef0b8f87076d1ff2f7dc9585
  • Payload MD5: da5e24b1a97faeacf7fb97dbb3a585af
  • Download URL: quantumfilebreak[.]com/txt.txt
  • C2 servers:
    • 185.215.113[.]108:85/api/
    • 193.24.123[.]18:85/api/
    • 162.252.173[.]37:85/api/

Important recommendations for users

  • Check app reviews and developer information before installing.
  • Carefully review the permissions requested by the app.
  • Be cautious if the app prompts unexpected “updates” inside the interface.
  • Use mobile antivirus solutions.
  • Do not trust pop-up screens that appear over your banking apps.
  • Keep Google Play Protect enabled at all times.