Android banking malware Archives

AppWizard

December 5, 2024

New DroidBot Android malware targets 77 banking, crypto apps

A new Android banking malware called 'DroidBot' targets the credentials of over 77 cryptocurrency exchanges and banking applications in several European countries, including the UK, Italy, France, Spain, and Portugal. Discovered by Cleafy, it has been operational since June 2024 and functions as a malware-as-a-service (MaaS) platform with a subscription price of ,000 per month. At least 17 affiliate groups are using malware builders to customize their attacks. DroidBot has caused 776 unique infections across the UK, Italy, France, Turkey, and Germany. The developers, believed to be based in Turkey, provide affiliates with tools like a malware builder and command and control servers. DroidBot disguises itself as trusted applications to deceive users and includes features such as keylogging, overlaying fake login pages, SMS interception, and remote control via Virtual Network Computing. It exploits Android's Accessibility Services to monitor user actions. Targeted applications include Binance, KuCoin, BBVA, Unicredit, Santander, Metamask, BNP Paribas, Credit Agricole, Kraken, and Garanti BBVA. Users are advised to download apps only from Google Play, scrutinize permission requests, and activate Play Protect.

AppWizard

October 16, 2024

New Google Play Store Warning—200 Dangerous Apps, 8 Million Installs

There has been a 101% increase in spyware incidents year on year, with researchers identifying 200 dangerous applications in the Google Play Store that collectively had nearly eight million installations. The analysis covered the period from June 2023 to May 2024 and revealed that the financial sector is a primary target, with attacks increasing by 29%. The United States is the top target for cybercriminals, while India leads in mobile malware applications. Google employs various security measures, including Play Protect, to detect and remove harmful apps from the Play Store.

AppWizard

July 1, 2024

CapraRAT Spyware Disguised as Popular Apps Threatens Android Users

- Transparent Tribe continues malware campaign targeting Android users - Group embedding spyware into curated video browsing applications targeting mobile gamers, weapons enthusiasts, and TikTok fans - Campaign dubbed CapraTube delivering spyware called CapraRAT - CapraRAT used in attacks targeting Indian government and military personnel - New malicious APK files identified - CapraRAT abusing permissions to access sensitive data - Malware developers focusing on making the tool more reliable and stable - Snowblind, a novel type of Android banking malware, discovered using seccomp technique to bypass anti-tampering mechanisms - Malware authors in Southeast Asia becoming extremely sophisticated

AppWizard

June 26, 2024

Snowblind is a new Android banking malware abusing a safety tool

Snowblind is a first-of-its-kind Android banking malware that manipulates a Linux kernel safety feature called "seccomp" to bypass security checks and anti-tampering mechanisms. It exploits accessibility services to gain system-level access to an infected device and can disable security features such as two-factor authentication and biometric verification. The malware targets banking Android apps in Southeast Asia and is effective on all modern Android devices. Promon has developed protective measures against Snowblind and other potential variants of seccomp-based attacks.