The PDF Trap: How the Anatsa Banking Trojan Infiltrated Google Play’s Top 200 Tools

A clandestine Android dropper, masquerading as a mundane PDF reader, has once again infiltrated the Google Play Store. While the application appeared to function as advertised—seamlessly opening documents without initially arousing suspicion—it harbored the latent capacity to deploy the Anatsa banking trojan post-installation.

On April 21, this compromised utility ascended to the 185th position among the most downloaded tools within the Russian segment of Google Play. Before its eventual expulsion from the marketplace, the program had garnered over 10,000 downloads, according to reports from Kaspersky.

The application contained a dropper—a specialized component engineered for the surreptitious delivery of malicious code. Once established on the device, the software fetched a supplementary APK file housing the Anatsa payload. Upon securing elevated system permissions, the malware endeavored to intercept sensitive telemetry, specifically targeting banking credentials.

Anatsa remains a persistent and well-documented threat within the cybersecurity community. The trojan frequently resurfaces in official application repositories under the guise of legitimate utilities. Adversaries typically publish a benign version to bypass initial moderation, only to introduce nefarious functionalities later through subsequent updates or external secondary downloads.

Dmitry Kalinin, a specialist at Kaspersky, noted that while sourcing applications from official marketplaces mitigates risk, it does not provide an absolute guarantee of security. Users are advised to scrutinize requested permissions, remain vigilant regarding updates, and view with extreme skepticism any rudimentary document reader that solicits access to sensitive smartphone functions.

Kaspersky identifies this specific threat under the heuristic verdicts HEUR:Trojan-Downloader.AndroidOS.Anatsa.a and HEUR:Trojan-Dropper.AndroidOS.Banker.bb.