banking Trojan Archives

AppWizard

February 20, 2026

Dangerous Massiv Android malware poses as IPTV app to infect devices and steal banking info

Security researchers from ThreatFabric have identified a deceptive application named “Massiv,” which masquerades as a legitimate IPTV service but is actually a banking trojan designed to compromise users' financial security. The malware primarily targets users in Portugal, using tactics like screen overlays and keylogging to steal sensitive data. Many users download unofficial IPTV apps, which are often fraudulent and do not provide access to pirated broadcasts. The stolen information is exploited by cybercriminals to open fraudulent bank accounts and launder money, putting victims in precarious financial situations and posing risks to the integrity of financial systems.

AppWizard

February 19, 2026

Massiv: When your IPTV app terminates your savings

Massiv is an Android banking Trojan that disguises itself as legitimate applications, primarily targeting users in southern Europe. It is distributed through side-loading and is capable of remote control over infected devices, enabling Device Takeover attacks that can lead to unauthorized banking transactions. Massiv often masquerades as IPTV applications to attract users seeking online television services. The malware employs overlay functionality to create deceptive screens, keylogging to capture sensitive information, and SMS/Push message interception. It can monitor applications on infected devices and present fake overlays to prompt users for sensitive data. Notably, it has targeted the Portuguese government application gov.pt and connects with Chave Móvel Digital, a digital authentication system, to access victims' banking accounts. Once it captures sensitive data, Massiv allows operators remote access to the device using Android’s AccessibilityService, facilitating real-time observation and manipulation of the user interface. It communicates over a WebSocket channel and supports screen streaming and UI-tree modes for enhanced control. Massiv's distribution includes malware droppers that initially do not contain malicious code but open a WebView to an IPTV website while the actual malware operates in the background. This tactic has increased in recent months, particularly in Spain, Portugal, France, and Turkey. Indicators of compromise include specific SHA-256 hashes and package names associated with the malware. The bot commands allow operators to perform various actions on the infected device, such as clicking coordinates, installing APKs, and showing overlays.

Tech Optimizer

December 25, 2025

New malware can read your chats and steal your money

The Android banking trojan Sturnus has emerged as a significant cybersecurity threat, capable of taking control of a device's screen, stealing banking credentials, and accessing encrypted communications from trusted applications. It operates stealthily, capturing decrypted messages without breaking encryption. To protect against Sturnus, users should employ robust antivirus software, be vigilant with app prompts, and exercise caution with links and attachments, as malware is often spread through these channels. Attackers can remotely control devices to execute financial transactions without user knowledge.

AppWizard

November 26, 2025

Hackers Bypass Signal, Telegram And WhatsApp Encryption To Read Messages

CISA has issued a warning about spyware targeting users of instant messaging applications, particularly highlighting the Sturnus trojan, which poses significant risks to Android smartphone users. Sturnus, identified as a banking trojan, can bypass encrypted messaging by capturing messages after they are decrypted on the smartphone screen, rather than cracking the encryption itself. Security expert Aditya Sood noted that Sturnus uses a combination of plaintext, RSA, and AES-encrypted communication, complicating detection efforts. The trojan can read everything displayed on the smartphone screen in real time, including sensitive messages and contacts. CISA also identified tactics used by cyber threat actors, such as phishing, zero-click exploits, and impersonation to gain unauthorized access to messaging apps. Users are advised to keep Google’s Play Protect activated, avoid unauthorized app stores, and be cautious with accessibility permissions to protect against these threats.

Tech Optimizer

November 7, 2025

Herodotus Android Banking Malware Takes Full Control Of Device Evading Antivirus

A banking trojan named Herodotus targets Android users globally, operating as Malware-as-a-Service and disguising itself as a legitimate app to lure users into downloading an APK from unofficial sources. Once installed, it gains critical system permissions to perform banking operations on behalf of the user. The malware is primarily distributed through SMS phishing campaigns that lead victims to fraudulent download pages. Herodotus employs overlay attacks to steal credentials and hijack sessions, posing a significant threat to financial security. It uses advanced evasion tactics, including random delays and realistic typing patterns, to avoid detection by traditional antivirus solutions. The trojan captures screen content and keystrokes, allowing real-time monitoring of user activity. Detection is complicated as Herodotus circumvents defenses by installing from unknown sources and executing harmful actions only after obtaining user permissions. Effective defense requires recognizing multiple indicators of compromise, such as suspicious SMS links and behavioral anomalies, which traditional antivirus protection often overlooks.

Tech Optimizer

November 7, 2025

Herodotus Android Banking Trojan Takes Over Devices, Outsmarts Security Tools

A new Android banking Trojan named Herodotus has emerged, operating under the Malware-as-a-Service (MaaS) model and causing significant disruptions in the mobile banking sector. It primarily spreads through SMS phishing campaigns that disguise malicious links as legitimate messages, leading users to counterfeit web pages to download an APK file outside the official Play Store. Upon installation, Herodotus requests critical permissions, including Accessibility, allowing it to overlay fake screens on real banking apps and capture user data. The malware employs deceptive behaviors to evade detection by traditional antivirus solutions, which often fail to recognize it due to their reliance on signature-based and behavior-driven databases. Research indicates that antivirus providers have overlooked the Herodotus threat, highlighting the need for multilayered defense mechanisms. Pradeo’s Mobile Threat Defense (MTD) solution offers continuous monitoring of device behavior, proactive blocking of phishing links, and alerts for risky off-store installations, effectively neutralizing threats before they escalate.

AppWizard

November 4, 2025

Dangerous new Android trojan is taking over phones and draining bank accounts — how to stay safe

A new banking Trojan is disguising itself as legitimate applications like digital ID tools and news readers, targeting Android users with banking and cryptocurrency apps. This malware steals login credentials and operates stealthily as an infostealer, evading detection while continuously collecting data. It can take over screens, interact with buttons, and use fake login screens for overlay attacks on real banking apps. Users are advised to regularly check accessibility services, download apps only from the Google Play Store or reputable sites, and scrutinize app permissions. Implementing layered security measures, such as using antivirus applications and keeping software updated, is essential to mitigate risks associated with this malware.

AppWizard

November 4, 2025

Malicious Android apps on Google Play downloaded 42 million times

The Android ecosystem has seen a significant rise in malicious applications, with over 40 million harmful apps downloaded from Google Play between June 2024 and May 2025. There has been a 67% year-over-year increase in malware targeting mobile devices, particularly spyware and banking trojans. Cybercriminals are shifting tactics from card fraud to mobile payment exploitation, employing phishing, smishing, SIM-swapping, and payment scams. Banking malware transactions reached 4.89 million in 2025, with a slowed growth rate of 3%. Malicious applications increased from 200 to 239, totaling 42 million downloads, with adware now accounting for 69% of all detections. Spyware has surged by 220% year-over-year, with India, the U.S., and Canada being the most affected countries. Notable malware families include Anatsa, which targets financial institutions, Android Void (Vo1d), which affects Android TV boxes, and Xnotice, which targets job seekers. IoT devices, particularly routers, are also being exploited, with the majority of attacks occurring in the U.S. Zscaler recommends implementing security measures such as regular updates, trusting reputable publishers, and adopting zero-trust technology for organizations.

Tech Optimizer

October 23, 2025

Delete the fake VPN app stealing Android users’ money

Malware targeting Android devices has become more sophisticated, with cybercriminals deploying fake banking applications and phishing campaigns. A recently identified dangerous app, Mobdro Pro IP TV + VPN, introduces a malware strain called Klopatra, which is used in campaigns against financial institutions. This app appears to be a free streaming platform but installs a banking Trojan and remote-access tool, allowing attackers to steal banking credentials and conduct fraudulent transactions. The infection process involves social engineering tactics to trick users into downloading the app from unofficial sources, and Klopatra can bypass Android's security measures. The rise of fake VPNs, like Mobdro, poses a significant risk, as many users rely on VPNs for privacy and security. Users are advised to take protective measures, including downloading apps only from trusted sources, checking app permissions, using secure VPNs, installing strong antivirus software, monitoring accounts, removing suspicious apps, keeping devices updated, changing passwords, enabling two-factor authentication, and reporting malicious apps.

AppWizard

October 10, 2025

Fake VPN and streaming app infects thousands of Android devices, drains bank accounts

Cybersecurity experts have warned Android users about the Mobdro Pro IP TV + VPN application, which has been identified as a means to distribute the Klopatra banking trojan. This trojan, first discovered in August 2025, is being spread through two active botnets, primarily targeting users in Spain and Italy, with nearly 3,000 confirmed infections. Klopatra allows cybercriminals complete remote access to infected devices, enabling them to read messages, steal login credentials, and execute fraudulent transactions. The malware exploits Android Accessibility Services permissions to carry out its activities. Mobdro Pro IP TV + VPN is distributed outside the Google Play Store, increasing users' vulnerability to such threats. Additionally, a VPN Transparency Report 2025 highlighted security risks in several popular legitimate VPN applications, indicating that some misrepresent their security protocols and may not provide adequate protection.