Ten new Android banking trojans targeted 985 bank apps in 2023

Trending 2 months ago


This twelvemonth has seen nan emergence of 10 caller Android banking malware families, which collectively target 985 slope and fintech/trading apps from financial institutes crossed 61 countries.

Banking trojans are malware that targets people's online slope accounts and money by stealing credentials and convention cookies, bypassing 2FA protections, and sometimes moreover performing transactions automatically.

In summation to nan 10 caller trojans launched successful 2023, 19 families from 2022 were modified to adhd caller capabilities and summation their operational sophistication.

Mobile information firm Zimperium analyzed each 29 (10 + 19) and reported that nan emerging trends include:

  • The summation of an automated transportation strategy (ATS) that captures MFA tokens, initiates transactions, and performs money transfers.
  • The engagement of societal engineering steps specified arsenic nan cybercriminals posing arsenic customer support agents directing victims into downloading nan trojan payloads themselves.
  • The summation of unrecorded screen-sharing capacity for nonstop distant relationship pinch nan infected device.
  • Offering nan malware successful a subscription package to different cybercriminals for $3,000 - $7,000 per month.

The modular features disposable successful astir of nan examined trojans see keylogging, overlaying phishing pages, and stealing SMS messages.

Another worrying improvement is that banking trojans are moving past conscionable stealing banking credentials and money and are now besides targeting societal media, messaging, and individual data.

New banking trojans

Zimperium has examined 10 caller banking trojans pinch complete 2,100 variants circulated successful nan wild, masquerading arsenic typical utilities, productivity apps, intermezo portals, photography tools, games, and acquisition aids.

These 10 caller trojans are listed below:

  1. Nexus: MaaS (malware-as-a-service) pinch 498 variants offering unrecorded screen-sharing, targeting 39 apps successful 9 countries.
  2. Godfather: MaaS pinch 1,171 known variants targeting 237 banking apps successful 57 countries. It supports distant screen-sharing.
  3. Pixpirate: Trojan pinch 123 known variants powered by an ATS module. It targets 10 slope apps.
  4. Saderat: Trojan pinch 300 variants targeting 8 banking apps successful 23 countries.
  5. Hook: MaaS pinch 14 known variants powered by unrecorded screen-sharing. It targets 468 apps successful 43 countries and is rented to cybercriminals for $7k/month.
  6. PixBankBot: Trojan pinch 3 known variants targeting 4 banking apps. It comes pinch an ATS module for on-device fraud.
  7. Xenomorph v3: MaaS cognition pinch six variants tin of ATS operations, targeting 83 slope apps successful 14 countries.
  8. Vultur: Trojan pinch 9 variants targeting 122 banking apps successful 15 countries.
  9. BrasDex: Trojan that targets 8 slope apps successful Brazil.
  10. GoatRat: Trojan pinch 52 known variants empowered by an ATS module, targeting six banking apps.
Overview of nan trojans that appeared successful 2023Overview of nan 10 banking trojans that emerged successful 2023 (Zimperium)

Of nan malware families that existed successful 2022 and were updated for 2023, those that support notable activity are Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper.

Regarding nan astir targeted countries, first connected nan database is nan United States (109 targeted slope apps), followed by nan United Kingdom (48 slope apps), Italy (44 apps), Australia (34), Turkey (32), France (30), Spain (29), Portugal (27), Germany (23), and Canada (17).

Staying safe

To protect against those threats, debar downloading APKs from extracurricular Google Play, Android's only charismatic app store, and moreover connected that platform, cautiously publication personification reviews and execute a inheritance cheque connected nan app's developer/publisher.

During installation, salary adjacent attraction to nan requested permissions, and ne'er assistance entree to nan 'Accessibility Services' unless you are judge astir it.

Fake Chrome app requesting entree to Accessibility ServicesFake Chrome app requesting entree to Accessibility Services (Zimperium)

If an app requests to download an update from an outer root upon first launch, it should beryllium treated pinch suspicion and wholly avoided if possible.

Finally, ne'er pat connected links embedded successful SMS aliases email messages from chartless senders.