Delete This App Now! Fake “Document Reader – File Manager” on Google Play Found Installing Anatsa Banking Malware
A dangerous Android app on the Google Play Store has alarmed both users and cybersecurity experts. The app—“Document Reader – File Manager”—appeared to be a simple tool for opening and managing files. But researchers later discovered that it secretly installed Anatsa (TeaBot), a powerful banking trojan. With over 50,000 downloads, thousands of users were exposed before the threat was uncovered.
Security Researchers Expose Malicious Document Reader App
The malicious app was flagged by Zscaler ThreatLabz. According to their analysis, the app requested unnecessary permissions that were suspicious for a normal document reader. After installation, it silently connected to a remote server and downloaded additional malware components.
Once activated, the malware attempted to obtain special Accessibility Service permissions, giving it access to sensitive information displayed on the device.
What Is Anatsa (TeaBot)? A Growing Global Mobile Banking Threat
Anatsa is not new—it first surfaced in 2020—but it has evolved into one of the most dangerous Android banking trojans. Its capabilities include:
Stealing banking login details
Recording keystrokes
Displaying fake login screens for banking and financial apps
Intercepting information to perform fraudulent transactions
Security researchers report that the latest versions of Anatsa now target over 800 financial institutions worldwide, including victims in Germany, South Korea, and several other regions. The malware has expanded its targets to include cryptocurrency apps, widening its reach.
Why the App Looked Safe — and Fooled Thousands
One reason this malware spread so widely is its convincing disguise. The app looked simple and harmless, offering basic features such as PDF viewing and file browsing. But behind the scenes, it downloaded a hidden payload that activated the malware.
If the malware failed to install correctly, the app still functioned normally as a basic file manager—helping it avoid suspicion.
How Anatsa Steals Banking Information
Once active, Anatsa uses Accessibility permissions to:
Read on-screen text
Overlay fake screens on top of real banking apps
Capture passwords, PINs, and sensitive financial data
Control certain parts of the device without user awareness
This allows attackers to easily trick users into entering their credentials into fake interfaces designed to look identical to legitimate banking apps.
Google Play Isn’t Always Safe — Users Must Stay Alert
While Google continues to remove harmful apps—recent reports confirm over 70 malicious apps with millions of downloads have been taken down—attackers still manage to bypass security checks using sophisticated hiding techniques.
Android users should stay cautious by:
Reviewing app permissions carefully
Avoiding apps from unknown or suspicious developers
Reading reviews and checking download history
Keeping devices and security apps updated
Organizations and individuals should also watch for signs of compromise, such as unexpected banking alerts, unauthorized logins, or sudden screen overlays.
Stay Safe: Delete the Fake Document Reader App Immediately
This incident highlights how cybercriminals use simple-looking apps as traps for stealing financial data. With threats like Anatsa becoming more advanced, awareness and careful app selection are essential.
If you installed “Document Reader – File Manager,” delete it immediately and run a security scan to ensure your device is clean.
0 Comments