Google Play App With 50K Installs Deploys Anatsa

A malicious Google Play app disguised as a document reader has infected over 50,000 Android devices with a powerful banking trojan known as Anatsa. Security researchers at Zscaler ThreatLabz uncovered the app, which initially appeared legitimate but functioned as an installer for the malware. Once downloaded, Anatsa gained elevated permissions and deployed its full payload, targeting users’ financial data.

The trojan establishes persistence by embedding itself into the Android system and capturing banking credentials through overlay attacks. It then transmits the stolen information to attacker-controlled servers using direct communication channels. This technique enables real-time data theft and remote access to sensitive accounts.

The use of an official marketplace boosted the malware’s reach and served as a reminder that threat actors continue to exploit trusted platforms. Researchers urge users to remove suspicious apps immediately and use multi-factor authentication on banking apps to reduce risk.

Read the full report at

Malicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware