Skip to main content
Anatsa Banker: The Trojan Hiding in a Google Play PDF Reader operation cover
COMING SOONBeginner

Anatsa Banker: The Trojan Hiding in a Google Play PDF Reader

A relationship manager at Larkfield Mutual installs a five-star PDF and QR reader from the Google Play store onto her managed Android handset. It is an Anatsa (TeaBot) dropper: it stages a DEX payload disguised as an app update, sidesteps sandbox checks, downloads the final banking trojan, and abuses the Accessibility service to overlay a fake bank login. Walk the EMM/MDM and web-proxy logs step by step to trace the install, the staged downloads, the C2 callback, and the final payload.

25m
6 tasks
25 points
Free

Launches today

Jul 3, 2026

Friday, July 3, 2026 at 9:00 AM

Create your free account

Be ready the moment it drops — free forever.

Training Tools

SIEMFirewall

What you'll investigate

6 objectives unlock when this operation goes live.

1Brief: a five-star PDF reader that was anything but
2Name the app that started it all
3Find the host the dropper phoned home to
4Fingerprint the final payload
5Spot the command-and-control callback
6Map the staged download to MITRE ATT&CK

Be first when it launches

Create your free account now. The moment this operation goes live on Jul 3, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.

Get Started Free

No credit card required — free forever