The ten most prolific Android mobile banking trojans target 639 financial applications that collectively have over one billion downloads on the Google Play Store.
Mobile banking trojans hide behind seemingly benign apps like productivity tools and games and commonly sneak into the Google Play Store, Android’s official app store.
Once they infect a device, they overlay login pages on top of legitimate banking and finance apps to steal account credentials, monitor notifications to snatch OTPs, and even carry out on-device financial fraud by abusing Accessibility services to perform actions as the user.
According to a report by Zimperium that gives an overview of the Android ecosystem in the first quarter of 2021, each of these trojans has assumed a unique spot in the market by how many organizations they target as well as functionality that differentiate them from the rest.
This finding is very worrying, as according to 2021 surveys, three out of four respondents in the U.S. use banking apps to perform their daily banking activities, providing a massive pool of targets for these trojans.
The most targeted
Unites States tops the list of the most targeted countries having 121 targeted apps. The United Kingdom follows with 55 apps, Italy with 43, Turkey with 34, Australia counts 33, and France has 31.
The trojan that targets the most applications is Teabot, covering 410 out of 639 of those tracked, while Exobot also targets a sizable pool of 324 applications.
The targeted application with the most downloads is PhonePe, which is very popular in India, having 100 million downloads from the Play Store.
Binance, the popular cryptocurrency exchange app, counts 50M downloads. Cash App, a US and UK-covering mobile payment service, also has 50 million installations via the Play Store. Both of these are also targeted by several banking trojans, even if they don’t offer conventional banking services.
The most widely targeted application is BBVA, a global online banking portal with tens of millions of downloads. This app is targeted by seven out of the ten most active banking trojans.
Most prolific trojans
The most prolific banking trojans in the first quarter of this year, according to Zimperium, are the following.
- BianLian – Targets Binance, BBVA, and a range of Turkish apps. A new version of the trojan discovered in April 2022 features photoTAN bypassing, which is considered a strong authentication method in online banking.
- Cabassous – Targets Barclays, CommBank, Halifax, Lloys, and Santander . Uses domain generation algorithm (DGA) to evade detection and takedowns.
- Coper – Targets BBVA, Caixa Bank, CommBank, and Santander. It actively monitors device battery optimization “allowlist” and modifies it to exempt itself from restrictions.
- EventBot – Targets Barclays, Intensa, BancoPosta, and various other Italian apps. It hides as Microsoft Word or Adobe Flash, and can download new malware modules from remote sources.
- Exobot – Targets PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank. It’s very small and light because it uses shared system libraries and fetches overlays from the C2 only when needed.
- FluBot – Targeted BBVA, Caixa, Santander, and various other Spanish apps. The botnet trojan was notorious for its rapid distribution using SMS and contact lists of compromised devices.
- Medusa – Targets BBVA, CaixaBank, Ziraat, and a range of Turkish bank apps. It can perform on-device fraud by abusing the accessibility service to act as a normal user on the victim’s behalf.
- Sharkbot – Targets Binance, BBVA, and Coinbase. It features a rich set of detection evasion and anti-deletion capabilities, as well as strong C2 communication encryption.
- Teabot – Targets PhonePe, Binance, Barclays, Crypto.com, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase. It features a special keylogger for each app, and loads it when the user launches it.
- Xenomorph – Targets BBVA and various EU-based bank apps. It can also serve as a dropper to fetch additional malware on the compromised device.
As it becomes clear from the above, each of the ten most prolific banking trojans maintains its own relatively narrow targeting scope, so the ecosystem is balanced and the operatives can pick the tool that matches their target audience.
To protect from all these threats, keep your device up to date, only install apps from the Google Play Store, check user reviews, visit the developer’s site, and keep the number of installed apps on your device at a minimum.