This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries.
Banking trojans are malware that targets people’s online bank accounts and money by stealing credentials and session cookies, bypassing 2FA protections, and sometimes even performing transactions automatically.
In addition to the ten new trojans launched in 2023, 19 families from 2022 were modified to add new capabilities and increase their operational sophistication.
Mobile security firm Zimperium analyzed all 29 (10 + 19) and reported that the emerging trends include:
- The addition of an automated transfer system (ATS) that captures MFA tokens, initiates transactions, and performs fund transfers.
- The involvement of social engineering steps such as the cybercriminals posing as customer support agents directing victims into downloading the trojan payloads themselves.
- The addition of live screen-sharing capability for direct remote interaction with the infected device.
- Offering the malware in a subscription package to other cybercriminals for $3,000 – $7,000 per month.
The standard features available in most of the examined trojans include keylogging, overlaying phishing pages, and stealing SMS messages.
Another worrying development is that banking trojans are moving past just stealing banking credentials and money and are now also targeting social media, messaging, and personal data.
New banking trojans
Zimperium has examined ten new banking trojans with over 2,100 variants circulated in the wild, masquerading as special utilities, productivity apps, entertainment portals, photography tools, games, and education aids.
These ten new trojans are listed below:
- Nexus: MaaS (malware-as-a-service) with 498 variants offering live screen-sharing, targeting 39 apps in nine countries.
- Godfather: MaaS with 1,171 known variants targeting 237 banking apps in 57 countries. It supports remote screen-sharing.
- Pixpirate: Trojan with 123 known variants powered by an ATS module. It targets ten bank apps.
- Saderat: Trojan with 300 variants targeting eight banking apps in 23 countries.
- Hook: MaaS with 14 known variants powered by live screen-sharing. It targets 468 apps in 43 countries and is rented to cybercriminals for $7k/month.
- PixBankBot: Trojan with three known variants targeting four banking apps. It comes with an ATS module for on-device fraud.
- Xenomorph v3: MaaS operation with six variants capable of ATS operations, targeting 83 bank apps in 14 countries.
- Vultur: Trojan with nine variants targeting 122 banking apps in 15 countries.
- BrasDex: Trojan that targets eight bank apps in Brazil.
- GoatRat: Trojan with 52 known variants empowered by an ATS module, targeting six banking apps.
Of the malware families that existed in 2022 and were updated for 2023, those that maintain notable activity are Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper.
Regarding the most targeted countries, first on the list is the United States (109 targeted bank apps), followed by the United Kingdom (48 bank apps), Italy (44 apps), Australia (34), Turkey (32), France (30), Spain (29), Portugal (27), Germany (23), and Canada (17).
Staying safe
To protect against those threats, avoid downloading APKs from outside Google Play, Android’s only official app store, and even on that platform, carefully read user reviews and perform a background check on the app’s developer/publisher.
During installation, pay close attention to the requested permissions, and never grant access to the ‘Accessibility Services’ unless you are sure about it.
If an app requests to download an update from an external source upon first launch, it should be treated with suspicion and entirely avoided if possible.
Finally, never tap on links embedded in SMS or email messages from unknown senders.