banking Trojan Archives

AppWizard

March 6, 2025

Android App With 220,000+ Downloads From Google Play Installs Banking Trojan

A sophisticated Android banking trojan campaign, known as Anatsa or TeaBot, has been downloaded over 220,000 times from the Google Play Store before its removal. The malware targets global financial institutions using a multi-stage infection process, deploying fake login overlays and exploiting accessibility services to steal user credentials and perform unauthorized transactions. The malicious app disguised itself as a "File Manager and Document Reader" and acted as a dropper, retrieving additional payloads from remote servers. It uses reflection-based code execution to evade detection and conducts anti-emulation checks to confirm it is on a genuine device. Anatsa requests critical permissions, including accessibility services and SMS access, to log keystrokes and bypass two-factor authentication. The campaign primarily targets users in Europe, especially Slovakia, Slovenia, and Czechia, but has the potential to expand to markets like the U.S., South Korea, and Singapore. It targets over 600 banking and cryptocurrency applications, enabling on-device fraud through automated transaction systems. Users are advised to avoid sideloading apps, audit app permissions, and monitor for updates from official stores. Google has removed the identified dropper, but similar threats persist. Indicators of compromise include specific network URLs and an MD5 hash for a sample.

AppWizard

March 6, 2025

Malicious Android App on Google Play Compromises 220,000+ Devices

Security researchers at ThreatLabz have identified a malware campaign operating through the Google Play Store that disseminated the Anatsa banking trojan, also known as TeaBot. The malicious app, disguised as a file manager and document reader, was downloaded over 220,000 times before its removal. The app initiated a multi-stage payload retrieval process after users granted accessibility permissions, allowing it to download the Anatsa payload and turn infected devices into tools for financial fraud. Anatsa uses overlay attacks and credential harvesting techniques, displaying fake login screens for banking applications to capture user credentials. It targets financial institutions across North America, Europe, and Asia, particularly mobile banking platforms. The malware employs evasion techniques, including delayed activation and encrypted communication, and maintains persistence by checking for accessibility service permissions. Initial data indicates concentrated infections in regions with high mobile banking usage, and the app's multilingual interface suggests a global targeting strategy. Google removed the app within 48 hours of the disclosure but it had been present for approximately eight weeks before detection. Google has initiated a mass uninstallation campaign for affected devices, while users are advised to perform factory resets, monitor financial accounts, enable Google Play Protect, and avoid granting permissions to unfamiliar apps. Investigations are ongoing to identify the threat actors, with links to Eastern European cybercrime syndicates suggested.

Tech Optimizer

February 3, 2025

Coyote Malware Launches Stealthy Attack on Windows Systems via LNK Files

FortiGuard Labs has raised an alarm about the Coyote Banking Trojan, a sophisticated malware targeting Microsoft Windows users, particularly in Brazil. Researchers discovered malicious LNK files that use PowerShell commands to execute scripts and connect to remote servers, initiating a multi-stage attack aimed at extracting sensitive information from over 70 financial applications and more than 1,000 websites. The attack begins with an LNK file that triggers a PowerShell command to download and execute additional malicious scripts. The malware employs loaders, shellcode, and Windows registry modifications, with a DLL file named “bmwiMcDec” injecting payloads into processes. It gathers system information and transmits it to remote servers, while the main payload enables keylogging, screenshot capture, phishing overlays, and window manipulation. The Coyote Trojan communicates with command-and-control servers via port 443 and adapts its actions based on server directives. Fortinet's security solutions, including FortiGuard Antivirus and Web Filtering Service, can detect and block threats associated with this malware. Users are advised to keep security systems updated and engage in cybersecurity training.

AppWizard

February 2, 2025

More than 90 Google Play Android apps identified with malware that steals your banking information – many already affected (5.5 million downloads)

Over 90 malicious Android applications were found on Google Play, including the banking trojan Anatsa, which has contributed to 5.5 million downloads across these apps. Google removed the identified apps from the Play Store after the report, which highlighted that Anatsa targets over 650 financial institutions. Two infected apps, disguised as PDF and QR code readers, had over 70,000 downloads before being reported. Anatsa operates stealthily, stealing banking information while appearing as benign applications. Other malware threats on Google Play include Joker, Facestealer, and Coper. Users are advised to be cautious when downloading apps and to scrutinize requested permissions. The two Anatsa-infected apps are no longer available, and the developers have been banned. Google Play Protect helps safeguard users by removing known malicious apps.

AppWizard

November 8, 2024

Godfather Is A Risk To Android Users Worldwide As 500 Apps Targeted

A new variant of the Godfather banking trojan is targeting over 500 Android banking and cryptocurrency applications globally. Initially focused in the U.S., U.K., and Europe, its reach has expanded to countries including Azerbaijan, Greece, Japan, and Singapore. The malware has transitioned from Java to native code, enhancing its ability to exploit Android’s accessibility services and mimic user actions through gesture automation commands. It employs social engineering tactics, such as a fraudulent website posing as the official MyGov site of the Australian Government, to distribute malicious files. Once installed, the malware communicates with a control server, collects device information, and replaces legitimate banking applications with phishing pages to steal credentials. The Godfather malware has become more difficult to analyze and poses a significant threat to users worldwide.

AppWizard

October 16, 2024

Millions of Android users get urgent Google app warning – check your phone now

Security experts from Zscaler have reported that over 200 malware-laden applications are available on Google's Play Store, with more than eight million installations by users. The report highlights a 111 percent increase in spyware incidents and a 29 percent rise in banking malware. Anatsa, an Android banking trojan, has targeted over 650 financial institutions. Zscaler's Chief Security Officer noted that cybercriminals are increasingly exploiting legacy assets, leading to data breaches and ransomware attacks. Google is working to remove harmful apps, but users are advised to review feedback, verify developer reputations, and enable Google Play Protect for enhanced security.

AppWizard

October 15, 2024

Over 200 malicious apps on Google Play downloaded millions of times

Zscaler's analysis revealed that over 200 malicious applications on Google Play accumulated nearly eight million downloads between June 2023 and April 2024. The identified malware families included Joker (38.2%), Adware (35.9%), Facestealer (14.7%), Coper (3.7%), Loanly Installer (2.3%), Harly (1.4%), and Anatsa (0.9%). In May 2023, Zscaler flagged more than 90 malicious apps on Google Play with 5.5 million downloads. The Necro malware loader was downloaded 11 million times, and Goldoson malware infiltrated 60 legitimate apps with 100 million downloads. Zscaler blocked an average of 1.7 million malware transactions per month, totaling 20 million during the analysis period. Spyware infections surged, particularly from SpyLoan, SpinOK, and SpyNote, with 232,000 blocks recorded. The most targeted countries were India, the United States, Canada, South Africa, and the Netherlands. The education sector saw a 136.8% increase in blocked transactions due to mobile malware. Users are advised to read reviews, verify app publishers, and scrutinize permissions to mitigate malware risks.

AppWizard

September 29, 2024

Experts warn users to delete a specific app | The Express Tribune

Cybersecurity experts have identified a new variant of the Octo Android malware, named Octo 2, which targets Android users by disguising itself as trusted applications like Google Chrome. This malware is designed for fraudulent activities, specifically targeting bank accounts and sensitive information. Discovered by the Amsterdam-based firm ThreatFabric, Octo 2 is spreading across Europe and features advanced mechanisms that make it harder to detect. Its capabilities include remotely locking and muting the device's screen, launching applications without user consent, sending malware-laden messages to contacts, and intercepting SMS messages to capture verification codes, posing a significant risk for unauthorized access to secure accounts.

AppWizard

September 25, 2024

Octo2 Malware Masquerades as Popular Apps

A new version of the Octo Android malware, named Octo2, has emerged in Europe, targeting users by masquerading as trusted applications like NordVPN and Google Chrome. It features advanced anti-detection mechanisms, a domain generation algorithm for command-and-control communication, and improved remote access functionality. Originating from the ExobotCompact malware family, Octo2 primarily targets banking customers and has been reported in Italy, Poland, Hungary, and Moldova. Its ability to impersonate trusted applications has contributed to its spread. The malware employs dynamic loading of malicious code and incorporates a feature called SHIT_QUALITY to optimize data transmission. Additionally, the domain generation algorithm allows for the creation of new domain names, maintaining attacker control over infected devices despite security efforts.

AppWizard

September 25, 2024

New Octo Android malware version impersonates NordVPN, Google Chrome

A new variant of the Octo Android malware, named "Octo2," has emerged in Europe, disguising itself as legitimate applications like NordVPN, Google Chrome, and Europe Enterprise. It features enhanced operational stability and sophisticated evasion mechanisms, including a domain generation algorithm (DGA) for command and control communications. The malware evolved from the ExoCompact banking trojan and was first identified by ThreatFabric in April 2022. Octo2 is currently targeting Italy, Poland, Moldova, and Hungary, with potential for global expansion. It utilizes counterfeit applications and embeds malicious payloads using the Zombider service, circumventing security measures in Android 13 and later. Octo2 introduces a low-quality setting in its remote access tool (RAT) to ensure reliable connectivity and employs native code for payload decryption, complicating analysis. It also has a curated list of applications to intercept and is not detected on Google Play, suggesting distribution through third-party app stores.