Blog

Banking Trojans Targeting Popular Financial Apps

Mobile banking Trojans frequently hide behind seemingly harmless programs like productivity tools and games and infiltrate the Google Play Store, Android's official app store. The Trojans then place login pages on top of legitimate banking and finance apps to steal account passwords, monitor notifications to capture OTPs, and even commit on-device financial fraud by leveraging accessibility services to act like users. According to the Google Play Store, the top 10 Android mobile banking trojans are targeting 639 financial applications that have been downloaded over a billion times.

The most popular apps include: PhonePe, Binance,Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México.

According to a Zimperium analysis, which provided an overview of the Android ecosystem in the first quarter of 2021, each of these banking trojans has claimed a distinct market position based on the number of businesses they target and the features that distinguishes them from others. In the United States, three out of four respondents used banking applications for their regular banking transactions, providing a wealth of potential targets to these Trojans. 

Worst-hit by banking Trojans 

The United States is the most targeted country, with 121 targeted apps. The United Kingdom comes second with 55 apps, followed by Italy (43), Turkey (34), Australia (33), and France (31).

Teabot is the Trojan that targets the most programs, accounting for 410 of the 639 tracked, while Exobot targets a substantial pool of 324 applications. 

Walmart-backed PhonePe, which is popular in India and has over 100 million downloads from the Play Store, is the target application with the most downloads. 

Binance, a prominent bitcoin exchange app with over 50 million downloads, and Cash App, a mobile payment service that operates in the US and the UK, with 50 million installations, too, are on the banking Trojan hitlist even though they do not provide traditional banking services. BBVA, a global online banking platform with tens of millions of downloads, is the most widely targeted application. Seven of the ten most active banking Trojans target this app. 

Most prevalent trojans 

According to Zimperium, the following banking Trojans were the most prevalent in the year's first quarter. 

Bian Lian 

It targets Binance, BBVA, and several Turkish apps. In April 2022, a new variant of the malware was discovered that bypasses photoTAN, considered a robust authentication mechanism in online banking. 

Cabassous 

It targets Barclays, CommBank, Halifax, Lloyds, and Santander. It employs the domain generation algorithm (DGA) to avoid discovery and removal. 

Coper 

BBVA, Caixa Bank, CommBank, and Santander are all targets for Coper. It actively checks the "allowlist" of device battery optimization and adjusts it to exempt itself from constraints. 

EventBot 

It attacks Barclays, Intensa, BancoPosta, and other Italian apps. It disguises itself as Microsoft Word or Adobe Flash and can download new malware modules from external sources. 

Exobot 

Its targets are PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank. It is tiny and light because it leverages shared system libraries and only retrieves overlays from the C2 when necessary. 

FluBot  

BBVA, Caixa, Santander, and other Spanish apps are its targets. This botnet virus was infamous for quick dissemination via SMS and compromised devices’ contact lists. 

Medusa  

It aims at BBVA, CaixaBank, Ziraat, and various Turkish bank apps. It can commit on-device fraud by misusing the accessibility service to pose as a regular user.  

Sharkbot 

Targets Binance, BBVA, and Coinbase. It includes a comprehensive set of detection evasion and anti-deletion measures and strong C2 communication encryption. 

Teabot  

PhonePe, Binance, Barclays, Crypto.com, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase are among its prominent targets. It has a unique keylogger for each program that loads when the user runs it. 

Xenomorph 

It attacks BBVA and other EU-based financial apps. It can also be a dropper to download more malware onto the victim system. 

Final thoughts

Each of these banking trojans retains its relatively narrow targeting scope, ensuring that the ecosystem is balanced and that operatives can select the tool that best matches their target demographic. The best way to keep your smartphones safe is by keeping them up to date. Try to only download apps from the Google Play Store, read user reviews, visit the developer's website, and keep the number of installed apps on your device to a minimum. 

Featured Posts

See All

December 10 - Blog

Hardware Token Protocols

Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

Packetlabs Company Logo
    • Toronto | HQ
    • 401 Bay Street, Suite 1600
    • Toronto, Ontario, Canada
    • M5H 2Y4
    • San Francisco | HQ
    • 580 California Street, 12th floor
    • San Francisco, CA, USA
    • 94104
Contact Us
Partner Program
Learn
Careers
Services
About
Packetlabs Portal
FAQ
LinkedIn Icon SquareX Icon SquareFacebook Icon Square
Cyber Right Now
CREST Logo
AICPA SOC 2 Logo
Clutch 2023 Certification Logo

© 2024 Packetlabs. All rights reserved.

Privacy Policy