Fake PDF App on Google Play

A sophisticated Android banking malware campaign has infected 90,000 users across multiple countries, with the Anatsa trojan distributed through a malicious PDF app on the official Google Play Store.

Fake PDF App on Google PlayFake PDF App on Google Play

Disguised as a Legitimate App
The Trojan masqueraded as a legitimate app called Document Viewer – File Reader, developed by Hybrid Cars Simulator, Drift & Racing. Initially functioning as a PDF viewer, the app embedded malicious code weeks after its launch, transforming it into a tool for attacks.

Fake PDF App on Google PlayFake PDF App on Google Play

How the Attack Works
Anatsa, also known as TeaBot or Toddler, is a banking trojan active since 2020, designed to steal credentials, log keystrokes, and take over devices for automated fraudulent transactions.

The attackers follow a systematic approach:

  1. Publish a benign app on Google Play.
  2. Wait for it to gain thousands of installs and positive reviews.
  3. Push a malicious update that embeds a dropper.
  4. Silently install the Anatsa payload on devices.