Fake Google Play App Delivers Anatsa Banking Trojan to Thousands of Android Users Security researchers at ThreatLabz have exposed a malicious app on the Google Play Store that disguised itself as a legitimate document reader while secretly deploying the Anatsa banking trojan. The app, identified under the package name com.groundstation.informationcontrol.filestation_browsefiles_readdocs, amassed over 10,000 downloads before Google removed it leaving thousands of users vulnerable to financial fraud and data theft. The threat actors employed a "dropper" technique, a common evasion tactic that keeps malicious code hidden during Google Play’s initial security review. The app appeared benign upon download but later fetched the Anatsa payload from an external server, masquerading as a harmless text file to avoid detection. Once installed, the trojan exploited Android’s Accessibility Services to gain elevated permissions, enabling it to monitor screen activity, log keystrokes, and interact with the device undetected. When users opened banking apps, Anatsa launched invisible overlay attacks, displaying fake login screens to harvest credentials and multi-factor authentication codes. The malware’s ability to operate from a trusted device allowed it to bypass traditional fraud detection, enabling attackers to initiate unauthorized transactions directly from compromised accounts. ThreatLabz provided Indicators of Compromise (IoCs) for cybersecurity teams to identify and block infections, including the app’s SHA256 hash (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), payload URLs, and command-and-control (C2) servers linked to the campaign. The incident underscores the persistent risk of trojanized apps slipping through official app store defenses.