This year, 10 new Android banking malware families have emerged, targeting a total of 985 banking and fintech/transaction apps from financial institutions in 61 countries.
Banking Trojans are malware that targets people’s online bank accounts and money by stealing credentials and session cookies, bypassing 2FA protections, and sometimes automatically performing transactions.
In addition to the 10 new Trojan families launched in 2023, 19 families since 2022 have been modified, added new features, and refined their operations.
Mobile security company Zimperium analyzed all 29 cases (10 + 19) and reported the following emerging trends:
- Adding an automated transfer system (ATS) to acquire MFA tokens, initiate transactions, and perform fund transfers.
- Social engineering steps are involved, with cybercriminals posing as customer support agents tricking victims into downloading the Trojan payload itself.
- Addition of live screen sharing functionality to directly and remotely interact with infected devices.
- They offer malware to other cybercriminals in subscription packages for $3,000 to $7,000 per month.
Standard features available in most of the investigated Trojans include keylogging, phishing page overlays, and SMS message theft.
Another alarming development is that banking Trojans are not only stealing banking credentials and money, but also targeting social media, messaging, and personal data.
New banking trojan
Zimperium researched 10 new banking Trojans, including more than 2,100 variants, circulating under the guise of special utilities, productivity apps, entertainment portals, photo tools, games, and educational aids.
These 10 new Trojans are listed below.
- nexus: MaaS (Malware as a Service) with 498 variants offering live screen sharing, targeting 39 apps in 9 countries.
- godfather: MaaS with 1,171 known variants targeting 237 banking apps in 57 countries. Supports remote screen sharing.
- pic pirate: A Trojan with 123 known variants that utilizes the ATS module. Ten banking apps are targeted.
- Saderat: Trojan horse with 300 variants targeting 8 banking apps in 23 countries.
- needle: MaaS with 14 known variants with live screen sharing. It targets 468 apps in 43 countries and is rented to cybercriminals for $7,000 per month.
- pixbank bot: Trojan with 3 known variants targeting 4 banking apps. Comes with an ATS module to counter fraud on the device.
- xenomorph v3: MaaS operations in 6 variants with ATS operations for 83 banking apps in 14 countries.
- walter: Trojan with 9 variants targeting 122 banking apps in 15 countries.
- brazdex: Trojan horse targeting eight banking apps in Brazil.
- goat rat: A Trojan with 52 known variants powered by the ATS module that targets 6 banking apps.
Malware families present in 2022 and updated in 2023 that maintain notable activity include Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper.
In terms of most targeted countries, the US tops the list (109 targeted banking apps), followed by the UK (48 banking apps), Italy (44 apps), Australia (34), and Turkey ( France (30), Spain (29), Portugal (27), Germany (23), and Canada (17).
stay safe
To protect yourself from these threats, avoid downloading APKs from sources other than Google Play, the only official app store for Android, and even on that platform, carefully read user reviews and check the app developer/publisher. Perform a background check on the person.
During installation, pay close attention to the requested permissions and never allow access to “Accessibility Services” unless you are sure.
If an app requests to download an update from an external source on first launch, it should be treated with suspicion and avoided completely if possible.
Finally, never tap links embedded in SMS or email messages from unknown senders.