{"id":10355,"date":"2026-02-03T10:03:49","date_gmt":"2026-02-03T10:03:49","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/03\/malicious-app-on-the-google-play-with-50k-downloads-deploy-anatsa-banking-malware\/"},"modified":"2026-02-03T10:03:49","modified_gmt":"2026-02-03T10:03:49","slug":"malicious-app-on-the-google-play-with-50k-downloads-deploy-anatsa-banking-malware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/03\/malicious-app-on-the-google-play-with-50k-downloads-deploy-anatsa-banking-malware\/","title":{"rendered":"Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware"},"content":{"rendered":"<p>    Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>A dangerous banking malware called Anatsa has been discovered spreading through the Google Play Store, reaching more than fifty thousand downloads before detection. <\/p>\n<p>The malicious application was cleverly hidden as a document reader, making it appear harmless to unsuspecting users searching for legitimate file management tools. <\/p>\n<p>This discovery highlights how cybercriminals continue to exploit official app stores as distribution channels for sophisticated financial threats targeting Android users worldwide. <\/p>\n<p>The Anatsa banking trojan is particularly concerning because it specifically targets banking credentials and sensitive financial information from infected devices.<\/p>\n<p>The malware operates as an installer that downloads and deploys the full Anatsa banking trojan payload once the initial application gains access to a device. <\/p>\n<p>Users who downloaded and installed this fake document reader application unknowingly gave the malware permission to operate with elevated access, creating a gateway for financial theft and personal <a href=\"https:\/\/cybersecuritynews.com\/data-extraction-with-budget-constraints-enter-free-proxies\/\" target=\"_blank\" rel=\"noreferrer noopener\">data extraction<\/a>. <\/p>\n<p>The distribution method through Google\u2019s official marketplace made this attack particularly effective, as users typically trust applications found on authorized platforms. <\/p>\n<p>This represents a significant breach in app store security screening processes, demonstrating how malicious developers continue to evade detection systems.<\/p>\n<p>Zscaler ThreatLabz analysts <a href=\"https:\/\/x.com\/Threatlabz\/status\/2018366059452199168\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">identified<\/a> this malicious application and immediately began tracking its distribution network and associated command-and-control infrastructure. <\/p>\n<p>The security researchers confirmed the malware\u2019s connection to <a href=\"https:\/\/cybersecuritynews.com\/astaroth-banking-malware-leveraging-github\/\" target=\"_blank\" rel=\"noreferrer noopener\">banking theft<\/a> operations and provided detailed technical indicators to help other security teams detect infected devices. <\/p>\n<figure class=\"wp-block-embed aligncenter is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f6a8.png?ssl=1\" alt=\"\ud83d\udea8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\">ThreatLabz has identified another malicious app on the Google Play Store disguised as a document reader. The app currently has over 50K downloads and serves as an installer for the Anatsa banking trojan. <\/p>\n<p>IOCs below:<\/p>\n<p>Google Play URL:\u2026 <a href=\"https:\/\/t.co\/fAuREdKiQF\">pic.twitter.com\/fAuREdKiQF<\/a><\/p>\n<p>\u2014 Zscaler ThreatLabz (@Threatlabz) <a href=\"https:\/\/twitter.com\/Threatlabz\/status\/2018366059452199168?ref_src=twsrc%5Etfw\">February 2, 2026<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>Their investigation revealed the attack chain and documented how the malware communicates with external servers to receive commands and exfiltrate stolen banking information.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-analyzing-the-malware-s-infection-and-communication-mechanism\"><strong>Analyzing the Malware\u2019s Infection and Communication Mechanism<\/strong><\/h2>\n<p>Understanding how Anatsa establishes persistence on infected Android devices is crucial for users and security professionals seeking to prevent compromise. <\/p>\n<p>Once installed, the banking trojan integrates itself into the operating system and actively monitors user activity, particularly focusing on banking application interactions. <\/p>\n<p>When users open their banking applications or enter financial credentials, the malware captures this sensitive information through overlay attacks and credential logging techniques. <\/p>\n<p>The malware then communicates with <a href=\"https:\/\/cybersecuritynews.com\/chinese-threat-actors-hosted-18000-active-c2-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">command-and-control servers<\/a> located at specific IP addresses, transmitting stolen banking details directly to threat actors. <\/p>\n<p>This direct connection to attacker-controlled infrastructure means compromised devices remain under active threat actor control, continuously feeding banking information and session tokens to criminal operations. <\/p>\n<p>Security researchers recommend users immediately remove any suspicious document reader applications, verify app authenticity through official channels, and enable multi-factor authentication on all banking accounts to mitigate potential compromise risks.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in\u00a0<a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google<\/a>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/malicious-app-on-the-google-play-with-50k-downloads\/\">Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/malicious-app-on-the-google-play-with-50k-downloads\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware A dangerous banking malware called Anatsa has been discovered spreading through the Google Play Store, reaching more than fifty thousand downloads before detection. The malicious application was cleverly hidden as a document reader, making it appear harmless to unsuspecting users searching for [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-10355","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10355"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10355"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10355\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10355"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10355"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10355"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}