Android banking malware Archives

AppWizard

February 19, 2026

New ‘Massiv’ Android banking malware poses as an IPTV app

A new strain of Android banking malware called Massiv is disguised as an IPTV application to steal digital identities and access online banking accounts. It uses screen overlays and keylogging techniques to capture sensitive information and can take remote control of compromised devices. Massiv has been observed targeting a Portuguese government application related to Chave Móvel Digital, which contains user data that could bypass know-your-customer (KYC) verifications. The malware allows fraudsters to open accounts in the victim's name at new banks and services, enabling money laundering and loan acquisition. Massiv features two remote control modes: a screen live-streaming mode and a UI-tree mode that extracts structured data from the Accessibility Service. There has been an increase in the use of IPTV applications as bait for Android malware infections, with many of these apps serving as droppers for the malware. The fake IPTV apps primarily target users in Spain, Portugal, France, and Turkey. Users are advised to download applications only from reputable sources and keep security measures active.

AppWizard

February 19, 2026

Fake IPTV Apps Spread Massiv Android Malware Targeting Mobile Banking Users

Cybersecurity researchers have identified a new Android trojan named Massiv, designed for device takeover attacks targeting financial theft. It disguises itself as IPTV applications and poses risks to mobile banking users by allowing operators to remotely control infected devices for fraudulent transactions. The malware was first detected in campaigns targeting users in Portugal and Greece, with features including screen streaming, keylogging, SMS interception, and fake overlays for credential theft. One campaign specifically targeted the gov.pt application to deceive users into providing sensitive information. Massiv can execute various malicious actions, such as altering device settings, sending device information, and downloading malicious files. It is distributed through dropper applications that mimic IPTV services, often via SMS phishing. The malware operates in the background while the dropper appears as a legitimate app. Recent campaigns have focused on regions like Spain, Portugal, France, and Turkey, indicating a growing threat landscape. The operators of Massiv are developing it further, suggesting intentions to offer it as a Malware-as-a-Service.

Tech Optimizer

November 7, 2025

Herodotus Android Banking Malware Takes Full Control Of Device Evading Antivirus

A banking trojan named Herodotus targets Android users globally, operating as Malware-as-a-Service and disguising itself as a legitimate app to lure users into downloading an APK from unofficial sources. Once installed, it gains critical system permissions to perform banking operations on behalf of the user. The malware is primarily distributed through SMS phishing campaigns that lead victims to fraudulent download pages. Herodotus employs overlay attacks to steal credentials and hijack sessions, posing a significant threat to financial security. It uses advanced evasion tactics, including random delays and realistic typing patterns, to avoid detection by traditional antivirus solutions. The trojan captures screen content and keystrokes, allowing real-time monitoring of user activity. Detection is complicated as Herodotus circumvents defenses by installing from unknown sources and executing harmful actions only after obtaining user permissions. Effective defense requires recognizing multiple indicators of compromise, such as suspicious SMS links and behavioral anomalies, which traditional antivirus protection often overlooks.

AppWizard

June 20, 2025

GodFather Android Malware Uses On-Device Virtualization to Hijack Legitimate Banking Apps

Zimperium zLabs has identified a new version of the GodFather Android banking malware that uses on-device virtualization to infiltrate legitimate banking and cryptocurrency applications. This malware creates an isolated virtual environment on the victim's device, allowing attackers to observe and manipulate user interactions in real time. It employs a malicious host application with a virtualization framework that downloads and executes a copy of the targeted app, capturing credentials and sensitive information. GodFather targets nearly 500 applications globally, particularly focusing on Turkish financial institutions. It utilizes evasive tactics, including ZIP manipulation and obfuscation, to evade detection and installs its payload through a session-based dropper technique. The malware retains traditional overlay attacks and has extensive remote control capabilities, posing a significant threat to mobile security and user trust.

AppWizard

December 5, 2024

New DroidBot Android malware targets 77 banking, crypto apps

A new Android banking malware called 'DroidBot' targets the credentials of over 77 cryptocurrency exchanges and banking applications in several European countries, including the UK, Italy, France, Spain, and Portugal. Discovered by Cleafy, it has been operational since June 2024 and functions as a malware-as-a-service (MaaS) platform with a subscription price of ,000 per month. At least 17 affiliate groups are using malware builders to customize their attacks. DroidBot has caused 776 unique infections across the UK, Italy, France, Turkey, and Germany. The developers, believed to be based in Turkey, provide affiliates with tools like a malware builder and command and control servers. DroidBot disguises itself as trusted applications to deceive users and includes features such as keylogging, overlaying fake login pages, SMS interception, and remote control via Virtual Network Computing. It exploits Android's Accessibility Services to monitor user actions. Targeted applications include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. Users are advised to download apps only from Google Play, scrutinize permission requests, and activate Play Protect.

AppWizard

October 16, 2024

New Google Play Store Warning—200 Dangerous Apps, 8 Million Installs

There has been a 101% increase in spyware incidents year on year, with researchers identifying 200 dangerous applications in the Google Play Store that collectively had nearly eight million installations. The analysis covered the period from June 2023 to May 2024 and revealed that the financial sector is a primary target, with attacks increasing by 29%. The United States is the top target for cybercriminals, while India leads in mobile malware applications. Google employs various security measures, including Play Protect, to detect and remove harmful apps from the Play Store.

AppWizard

July 1, 2024

CapraRAT Spyware Disguised as Popular Apps Threatens Android Users

- Transparent Tribe continues malware campaign targeting Android users - Group embedding spyware into curated video browsing applications targeting mobile gamers, weapons enthusiasts, and TikTok fans - Campaign dubbed CapraTube delivering spyware called CapraRAT - CapraRAT used in attacks targeting Indian government and military personnel - New malicious APK files identified - CapraRAT abusing permissions to access sensitive data - Malware developers focusing on making the tool more reliable and stable - Snowblind, a novel type of Android banking malware, discovered using seccomp technique to bypass anti-tampering mechanisms - Malware authors in Southeast Asia becoming extremely sophisticated

AppWizard

June 26, 2024

Snowblind is a new Android banking malware abusing a safety tool

Snowblind is a first-of-its-kind Android banking malware that manipulates a Linux kernel safety feature called "seccomp" to bypass security checks and anti-tampering mechanisms. It exploits accessibility services to gain system-level access to an infected device and can disable security features such as two-factor authentication and biometric verification. The malware targets banking Android apps in Southeast Asia and is effective on all modern Android devices. Promon has developed protective measures against Snowblind and other potential variants of seccomp-based attacks.