banking apps Archives

AppWizard

September 9, 2025

New RatOn Android Malware Targets Banking Apps and Crypto Wallets via NFC Attacks

A new strain of Android malware called RatOn was identified on July 5, 2025, targeting banking applications and cryptocurrency wallets, particularly in the Czech Republic. It integrates near-field communication (NFC) relay attacks with automated transfer system (ATS) capabilities, allowing attackers to hijack devices and execute unauthorized transactions. RatOn builds on tactics from previous malware like PhantomCard and employs overlay attacks to capture user credentials. It gains root-level access through vulnerabilities such as KernelSU, enabling call hijacking to bypass two-factor authentication. RatOn specifically targets local banking applications and cryptocurrency wallets, scanning for wallet apps and extracting private keys. Defending against RatOn involves enabling app sideloading restrictions, using reputable antivirus software, and monitoring NFC settings, while banks are enhancing anomaly detection systems. The emergence of RatOn raises concerns about mobile security globally, with calls for stricter app store vetting and improved NFC protocols. Experts predict that future malware will increasingly use AI-driven adaptations, complicating detection efforts.

AppWizard

August 14, 2025

Surge in Android Malware Targets Banking Apps with NFC Fraud

A new wave of Android malware is targeting banking applications, utilizing techniques such as NFC relay fraud, call hijacking, and root-level exploits. Variants like PhantomCard, SpyBanker, and KernelSU are designed to infiltrate devices and manipulate transactions in real time. PhantomCard mimics legitimate NFC payment processes, SpyBanker hijacks calls from financial institutions, and KernelSU exploits kernel vulnerabilities for persistent access. This malware has affected thousands of devices, with attackers using disguises on the Google Play Store and phishing campaigns. A related variant, Anatsa, impacted over 90,000 users through fake PDF applications. The rise of such malware correlates with the increasing adoption of contactless payments, particularly in Europe and Asia. Experts recommend that banks enhance their defenses with behavioral analytics and that users enable app verification. Additionally, malware like KernelSU allows evasion of detection by operating at the system's core. Cybersecurity firms suggest a multi-layered security approach, including device encryption and AI-driven threat detection, to combat these evolving threats.

AppWizard

August 11, 2025

Fake Android Banking Apps Are Hijacking Devices and Draining Accounts in Malware Campaign

A wave of mobile malware is targeting Android users in India, posing as legitimate banking applications. This malware can fully compromise infected devices, stealing sensitive data, intercepting communications, and conducting unauthorized financial transactions. It typically spreads through deceptive "dropper" apps via phishing messages on platforms like WhatsApp, SMS, or email, often disguised as system updates or official banking apps. The malware requests extensive Android permissions, allowing it to read and send SMS messages and intercept two-factor authentication codes. It operates stealthily, bypassing Android’s battery optimization features, and can manipulate notification content. All captured data is transmitted to attackers, enabling potential financial fraud and identity theft. Users are advised to install apps only from trusted sources, be skeptical of unexpected installation prompts, and review permission requests carefully.

AppWizard

July 29, 2025

ANDROID MALWARE POSING AS INDIAN BANK APPS

The report discusses a sophisticated Android malware targeting users in India, which disguises itself as legitimate banking applications to steal credentials and conduct unauthorized financial activities. The malware employs advanced techniques such as silent installation, exploitation of Android permissions, and remote command execution to avoid detection. It utilizes Firebase for command-and-control operations and phishing pages that mimic real banking interfaces. The malware consists of a modular architecture with a dropper and a main payload. The dropper requests several Android permissions, including ACCESSNETWORKSTATE, REQUESTINSTALLPACKAGES, and QUERYALLPACKAGES, which facilitate reconnaissance and persistence. The dropper uses a silent installation mechanism to load additional payloads without user awareness. The main payload requests permissions that enable data theft and stealthy operation, such as READSMS, SENDSMS, and RECEIVEBOOTCOMPLETED. It hides itself from the user's app list and employs separate classes for specific malicious tasks, including harvesting user credentials and collecting debit card information. The phishing page mimics a legitimate banking app to capture user data effectively. The malware also monitors incoming SMS messages, extracts critical metadata, and can silently forward calls to an attacker-controlled number. A specific APK sample impersonating an Indian banking application was observed on April 3, 2025, highlighting ongoing trends in mobile-based credential theft and financial fraud. Recommendations include enforcing stricter mobile application security standards, launching public awareness campaigns, implementing threat intelligence-driven filtering, and deploying mobile endpoint detection solutions.

AppWizard

July 25, 2025

Fake Indian Banking Apps on Android Steal Login Credentials from Users

A recently discovered malicious Android application poses significant risks by masquerading as legitimate banking apps in India. It facilitates credential theft, conducts surveillance, and executes unauthorized financial transactions. The malware operates on a modular architecture with a dropper and primary payload, employing deceptive user interfaces and silent installation techniques to evade detection. The dropper requests extensive permissions, including ACCESSNETWORKSTATE, REQUESTINSTALLPACKAGES, and QUERYALLPACKAGES, to monitor connectivity, install secondary APKs without user awareness, and profile installed apps. It loads a hidden payload and initiates installation using an INSTALL_NOW flag, bypassing app store scrutiny. The main payload requests additional permissions such as READSMS, SENDSMS, and RECEIVESMS for intercepting one-time passwords (OTPs) and two-factor authentication (2FA) codes. It also requests REQUESTIGNOREBATTERYOPTIMIZATIONS, READPHONESTATE, and READPHONENUMBERS for uninterrupted execution, device fingerprinting, and potential call forwarding abuse. Data exfiltration occurs through Firebase Realtime Database, storing user IDs and intercepted SMS metadata. The malware uses Firebase for command-and-control operations and generates phishing pages resembling authentic banking interfaces. Delivery methods include smishing, email phishing, WhatsApp bots, vishing calls, SEO-poisoned websites, malvertising, Trojanized utilities, QR/NFC attacks, preloaded malware on counterfeit devices, and exploitation of accessibility service vulnerabilities. Indicators of compromise include specific SHA256 hashes for the base payload and main payload.

AppWizard

July 25, 2025

Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials

Attackers are exploiting India's reliance on digital financial services by distributing counterfeit Android applications resembling those of public and private banks. This campaign, detected on April 3, 2025, employs methods like smishing texts, QR codes, and search-engine manipulation to trick users into sideloading malicious software. Within 48 hours of discovery, over 7,000 devices attempted to connect to a specific Firebase Cloud Messaging endpoint. The malware uses permissions to bypass security measures, capture one-time passwords, and gain insights into installed applications for overlay attacks. It collects sensitive information such as phone numbers and CVVs, which are uploaded to a private database. The malware also enables call forwarding to the attacker's number and maintains persistence through various tactics. The infection mechanism involves a dropper that installs a secondary APK silently, evading detection by not displaying a launcher icon. Security experts recommend enhanced phishing detection and real-time sandbox analysis to combat these threats.

AppWizard

July 9, 2025

Dangerous Android malware targets US banking apps – 50,000 people already affected, make sure you’re not next

A PDF reader app for Android, 'Document Viewer – File Reader', has been found to contain a banking trojan called Anatsa, introduced through a patch six weeks after its release. The app, published by 'Hybrid Cars Simulator, Drift & Racing', has over 50,000 downloads and specifically targets North American banking applications. Security researchers have noted a history of similar threats, with previous trojanized apps having significant download numbers. The Anatsa trojan scans for North American banking apps and overlays a deceptive interface to steal user credentials. Google has removed the app from the Play Store and advises users to uninstall it, conduct a system scan, and reset banking credentials. Google Play Protect provides automatic protection against malicious apps.

AppWizard

July 9, 2025

Android malware Anatsa infiltrates Google Play to target US banks

The Anatsa banking trojan has reappeared on Google Play as a PDF viewer app, accumulating over 50,000 downloads. It activates upon installation, targeting North American banking applications by presenting an overlay that allows unauthorized access, keylogging, and transaction automation. Researchers from Threat Fabric discovered that the app displays a fake notification about banking system maintenance to mask its activities. Anatsa has a history of infiltrating Google Play through various trojanized applications, with previous campaigns resulting in 300,000 downloads in November 2021, 30,000 in June 2023, and 150,000 in February 2024. In May 2024, Zscaler reported two new Anatsa applications on Google Play, achieving 70,000 downloads. The specific app identified is ‘Document Viewer – File Reader,’ published by ‘Hybrid Cars Simulator, Drift & Racing,’ which maintains a “clean” appearance until it builds a user base, after which malicious code is introduced via an update. Anatsa connects to a command-and-control server to monitor targeted applications. Google has removed the malicious app, advising users to uninstall it, scan their devices, and reset banking credentials. Users are encouraged to download apps only from reputable publishers and be cautious with permissions and reviews. Google Play Protect automatically protects users from known malicious apps.

AppWizard

July 7, 2025

Qwizzserial Android Malware Masquerades as Legit Apps to Steal Banking Data and Intercept 2FA SMS

A new Android malware family named Qwizzserial has emerged, primarily affecting users in Uzbekistan. Identified by Group-IB in March 2024, it functions as an SMS stealer that intercepts two-factor authentication codes and banking information. The malware disguises itself as legitimate applications and spreads through deceptive messages on Telegram, leading to approximately 100,000 infections from around 1,200 samples. Qwizzserial employs social engineering tactics, such as enticing file names and fake Telegram channels, to lure victims. Once installed, it requests permissions for phone calls and SMS access to exfiltrate sensitive data using Telegram bots. Advanced variants utilize obfuscation tools and may request users to disable battery optimization. The financial impact is significant, with one group reportedly generating around 0,000 between mid-March and mid-June 2025. The malware targets banking notifications and large transactions, exploiting the local banking sector's reliance on SMS authentication. Group-IB has developed detection methods to combat this threat.

AppWizard

July 3, 2025

Qwizzserial Android Malware as Legitimate Apps Steals Banking Data & Intercepts 2FA SMS

A sophisticated Android malware campaign named Qwizzserial has emerged as a significant threat to banking security in Central Asia, particularly affecting users in Uzbekistan. Initially identified in mid-2024, it disguises itself as legitimate applications to deceive users into installation. Analysts from Group-IB uncovered it, noting its distribution network resembles the Classiscam fraud infrastructure. The campaign has reportedly infected around 100,000 users, resulting in financial losses exceeding ,000 within three months. The primary distribution channel is Telegram, where cybercriminals pose as government entities. Qwizzserial requests critical permissions upon installation and collects personal and financial information, systematically harvesting existing SMS messages. Recent iterations have incorporated obfuscation techniques and enhanced persistence mechanisms.