This year, ten new families of banking Trojans for Android emerged, targeting 985 banking applications from fintechs and financial institutions in 61 countries. Banking Trojans are malware that targets online bank accounts, stealing credentials and session cookies, bypassing two-factor authentication (2FA), and sometimes even performing transactions automatically.
In addition to the ten new Trojans launched this year, 19 families as of 2022 have been modified to incorporate new capabilities and increase their operational sophistication.
Mobile security firm Zimperium analyzed all 29 trojans and reported that emerging trends include:
- The addition of an automated transfer system (ATS) that captures multi-factor authentication (MFA) tokens, initiates transactions, and performs fund transfers.
- The involvement of social engineering steps, such as cybercriminals posing as customer support technicians directing victims to download trojan payloads.
- The addition of live screen sharing feature for direct remote interaction with the infected device.
- Offering the malware in a subscription package to other cybercriminals for $3,000 to $7,000 per month.
Standard features available in most Trojans examined include keylogging, phishing page overlay, and stealing SMS messages.
Another worrying development is that banking Trojans are moving away from stealing banking credentials and money and are now also targeting social media, messages and personal data.
New banking trojans
Zimperium examined the ten new banking trojans with more than 2,100 variants circulating on the market, disguised as special utilities, productivity applications, entertainment portals, photography tools, games and educational aids.
The ten new trojans are listed below:
- Nexus: MaaS (malware-as-a-service) with 498 variants offering live screen sharing, targeting 39 apps in nine countries.
- Godfather: MaaS with 1,171 known variants targeting 237 banking applications in 57 countries. It supports remote screen sharing.
- Pixpirate: Trojan with 123 known variants, powered by an ATS module. It targets ten banking apps.
- Saderat: Trojan with 300 variants targeting eight banking apps in 23 countries.
- Hook: MaaS with 14 known variants powered by live screen sharing. It targets 468 applications in 43 countries and is rented to cybercriminals for $7,000/month.
- PixBankBot: Trojan with three known variants targeting four banking applications. It comes with an ATS module for on-device fraud.
- Xenomorph v3: MaaS operation with six variants capable of ATS operations, targeting 83 banking applications in 14 countries.
- Vulture: Trojan with nine variants targeting 122 banking applications in 15 countries.
- BrasDex: Trojan that targets eight banking applications in Brazil.
- GoatRat: Trojan with 52 known variants enabled by an ATS module, targeting six banking applications.
Of the malware families that existed in 2022 and were updated this year, those that maintain notable activity are Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anúbis and Coper.
Regarding the most targeted countries, first on the list is the United States (109 targeted banking apps), followed by the United Kingdom (48 banking apps), Italy (44 apps), Australia (34), Turkey (32) , France (30), Spain (29), Portugal (27), Germany (23) and Canada (17).
To protect yourself against these threats, avoid downloading APKs from outside of Google Play, Android’s only official app store, and even on that platform, carefully read user reviews and perform a background check on the app’s developer/publisher.
During installation, pay close attention to the permissions requested and never grant access to ‘Accessibility Services’ unless you are sure of it. If an app requests to download an update from an external source on first launch, it should be treated with suspicion and avoided entirely if possible. Finally, never touch links embedded in SMS or email messages from unknown senders.
Source: CisoAdvisor, Zimperium