
Anatsa Banker: The Trojan Hiding in a Google Play PDF Reader
A relationship manager at Larkfield Mutual installs a five-star PDF and QR reader from the Google Play store onto her managed Android handset. It is an Anatsa (TeaBot) dropper: it stages a DEX payload disguised as an app update, sidesteps sandbox checks, downloads the final banking trojan, and abuses the Accessibility service to overlay a fake bank login. Walk the EMM/MDM and web-proxy logs step by step to trace the install, the staged downloads, the C2 callback, and the final payload.
Launches today
Friday, July 3, 2026 at 9:00 AM
Be ready the moment it drops — free forever.
Training Tools
What you'll investigate
6 objectives unlock when this operation goes live.
Be first when it launches
Create your free account now. The moment this operation goes live on Jul 3, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.
Get Started FreeNo credit card required — free forever