The Google Play Store has a risky app. The app has received over 50,000 downloads while posing as a straightforward document reader called "StellarGrid." In actuality, it serves as a dropper for the infamous Anatsa banking trojan, endangering the financial security of thousands of Android users.

This incident brings to light persistent issues with mobile app security. Not even Google's screening procedure can identify every cunning danger. It's possible that users who installed the app unintentionally revealed their banking information. The Misleading App The program imitates a simple PDF and document viewer and was created under the package name com.recursivestd.highlogic.stellargrid.

Its Play Store page boasts a tidy interface and promises offline support and quick file reading.

A Google Play Store app that poses a risk. Over 50,000 people have downloaded the app, which poses as a straightforward document reader called "StellarGrid." Actually, thousands of Android users are at risk of financial theft because it serves as a dropper for the infamous Anatsa banking trojan.

This incident demonstrates the persistent difficulties with mobile app security. Not even Google's screening procedure is able to identify every cunning danger. It's possible that users who downloaded the app unintentionally revealed their banking information. The Fraudulent App The application imitates a simple PDF and document viewer and was created under the package name com.recursivestd.highlogic.stellargrid.

With promises of quick file reading and offline support, its Play Store page features a clear interface.

The entire payload is then pulled by the installer. A warning sign for malware is Anatsa's request for accessibility permissions. After that, it hooks into apps like Deutsche Bank, Wise, and Revolut to steal data instantly.

Anatsa Trojan Attacks Google (Source: Threatlabz) Attackers use it to move money by imitating user actions in Automated Transfer Service (ATS) attacks. According to earlier reports, recent campaigns targeted more than 100 banks. It can evade Play Protect scans thanks to this dropper technique. Important Technical Information The samples were reverse-engineered by ThreatLabz.

The app uses standard Android APIs but hides its dropper logic in native libraries. It checks for rooted devices or emulators before activating.

The following table lists important Indicators of Compromise (IOCs) for blocking and detection: Value Type https://play.google.com/store/apps/details?id=com.recursivestd.highlogic is the Google Play URL.StellarGrid MD5 1991f5d0c88d8c7c68f6a6d27efa60d Anatsa Installer6 Anatsa Download URL Anatsa: https://stellargridinv.com/ MD5 Payload 7f131404a331ae10fdc76bfe5908575d C2 Server 1 http://193.24.123.18:85/api/ C2 Server 2 https://162.252.173.37:85/api/ Security teams can use YARA rules or programs like VirusTotal to search for these hashes. At firewalls, block the IPs and domains. There are tens of thousands of potential victims with more than 50,000 downloads.

In previous waves, Anatsa has stolen millions of dollars, frequently using money mules. Users are most at risk in high-risk areas. To be safe: Now remove StellarGrid and use a reliable antivirus program, such as Malwarebytes. In Android settings, revoke accessibility permissions for unknown apps.

Turn on two-factor authentication and Google Play Protect for banks.

Refrain from clicking dubious links or sideloading. Make Cyberpress a Google Preferred Source.