Android Banking Trojans Spread via Fake Document Reader and KYC Apps
Researchers reported two Android banking malware campaigns using staged droppers to evade detection and steal financial data from mobile users. Zscaler ThreatLabz said a fake Document Reader app on Google Play was downloaded more than 10,000 times before removal and later fetched the Anatsa payload from a remote server, while CYFIRMA identified KYCShadow being distributed through fake KYC verification apps sent over WhatsApp to bank customers in India. In both cases, the initial apps appeared legitimate, then installed secondary malicious components designed to bypass early screening and analysis.
Once deployed, the malware sought high-risk permissions to hijack accounts, intercept SMS-based one-time passwords, and overlay banking apps to capture credentials. Anatsa was reported to target more than 831 financial institutions globally, including banks and cryptocurrency platforms, using obfuscation and anti-analysis techniques, while KYCShadow collected data such as mobile numbers, Aadhaar details, ATM PINs, and card information, then used Firebase Cloud Messaging and a full-tunnel VPN for command-and-control and traffic redirection. Researchers urged users to uninstall suspicious apps and avoid software delivered through messaging platforms, and advised defenders to monitor indicators including jsonapi[.]biz, jsonserv[.]biz, and jsonserv[.]xyz.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Google removes malicious document reader app from Google Play
After researchers reported the threat, Google removed the fake document reader app from the Play Store. Zscaler ThreatLabz also published indicators of compromise including hashes, infrastructure details, and the malicious package name to help defenders identify infections.
Fake document reader on Google Play infects 10,000+ devices with Anatsa
A malicious document reader app on Google Play was downloaded more than 10,000 times and used a two-stage dropper to install the Anatsa Android banking trojan after passing initial review. Once deployed, Anatsa sought high-risk permissions to steal banking credentials, intercept SMS messages, and present fraudulent overlays targeting hundreds of financial institutions.
KYCShadow campaign targets Indian bank customers via fake KYC apps
In April 2026, researchers identified an Android banking malware campaign tracked as KYCShadow that distributed fake KYC verification apps through WhatsApp to target bank customers in India. The malware harvested personal and banking data, intercepted OTPs, and used Firebase messaging plus a VPN-based channel for command-and-control and traffic routing.
CYFIRMA publishes KYCShadow banking malware research
CYFIRMA published research on KYCShadow, an Android banking malware operation that abuses fake KYC verification apps to steal credentials and OTPs from bank customers in India. The report described its WhatsApp-based delivery, two-stage infection chain, and attacker infrastructure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New Android Banking Malware Abuses Fake KYC Workflow and WhatsApp Delivery to Hijack Accounts
cybersecuritynews.com
Open sourceFake Document Reader On Google Play With 10K Downloads Installing Anatsa Malware - Cyber Security News
cybersecuritynews.com
Open sourceKYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft - CYFIRMA
cyfirma.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Anatsa Android Banking Trojan Spread via Fake Google Play Document Reader
A malicious Android app posing as a document reader on the official Google Play Store delivered the **Anatsa** banking trojan to more than **10,000 users** before removal. Researchers said the app used a dropper technique to evade **Google Play Protect**, fetching its malicious payload only after installation. Once deployed, Anatsa abused **Android Accessibility Services**, watched for targeted banking apps, and launched overlay screens to steal credentials, sensitive input, and multi-factor authentication codes. The malware allowed operators to initiate fraudulent transactions directly from infected devices, making activity appear more trustworthy to banks because it originated from a victim's normal device context. Reporting on the campaign said Anatsa continues to evolve to bypass traditional defenses by hiding inside legitimate-looking apps and abusing trusted mobile workflows, underscoring the risk to Android banking users and the need for tighter app controls, minimal permissions, and behavior-based monitoring.
May 25, 2026
Android Banking Trojans and Financial Malware Targeting User Data and Payments
Multiple new Android malware campaigns have been identified targeting users' financial data and payment methods. Researchers uncovered advanced banking trojans such as BankBot-YNRK and DeliveryRAT, which harvest sensitive information from compromised devices and employ sophisticated evasion techniques, including emulator detection and device-specific targeting. These trojans often masquerade as legitimate apps, such as Indonesia's digital ID application, and can mute device notifications to avoid detection by victims. In addition, a next-generation Android banking trojan has been observed hiding within digital ID apps, automating the theft of cryptocurrency wallets and evading analysis environments. A separate large-scale scam involves over 760 malicious Android apps exploiting NFC and HCE technologies to steal payment card data globally. These apps facilitate unauthorized transactions by leveraging contactless payment features. The surge in Android-targeted financial malware highlights the growing risk to users' banking credentials, payment cards, and cryptocurrency assets, with attackers employing increasingly sophisticated methods to bypass security controls and evade user awareness.
Mar 21, 2026
Four Android Banking Trojans Target 800+ Apps With MFA-Bypassing Overlays
Zimperium zLabs identified four Android malware families—**RecruitRat, SaferRat, Astrinox, and Massiv**—in active campaigns targeting users of more than **800 banking, cryptocurrency, and social media apps**. The malware is being spread through phishing sites, smishing messages, fake job application and streaming lures, counterfeit app-store pages, and bogus updates that trick victims into installing malicious APKs. Researchers said the campaigns rely heavily on overlay attacks, with fake login screens placed over legitimate apps to steal credentials; **RecruitRat** alone reportedly includes more than **700** fraudulent login pages. Once installed, the trojans abuse Android features including **Accessibility Services**, the **Session Installation API**, **MediaProjection**, overlays, and **WebView** to gain persistence, intercept SMS and one-time passwords, log keystrokes, enumerate apps, steal contacts, freeze screens, stream displays, and remotely control infected devices. The malware also uses anti-analysis techniques such as APK tampering, encrypted strings, reflection, dynamic DEX loading, and environment-aware execution, while command-and-control traffic is sent over HTTPS or WebSockets, with RecruitRat additionally using **RC4** encryption. Researchers warned the activity creates enterprise risk because infected employee devices can enable account takeover, bypass MFA, and expose corporate resources.
Apr 20, 2026