Top 10 Android Banking Trojans Target Apps With 1 Billion Downloads – BleepingComputer | Hot Mobile Press

The top 10 most prolific Android mobile banking Trojans target 639 financial applications, which together have over a billion downloads on the Google Play Store.

Mobile banking Trojans hide behind seemingly harmless apps like productivity tools and games, and often sneak into the Google Play Store, Android’s official app store.

Once they have infected a device, they overlay login pages over legitimate banking and finance apps to steal account credentials, monitor notifications to steal OTPs, and even commit financial fraud on the device by abusing accessibility features to perform actions as execute user.

According to a report by Zimperium, which provides an overview of the Android ecosystem in Q1 2021, each of these trojans has held a unique place in the market based on how many organizations they target and the features that differentiate them from the rest.

This result is very worrying as according to 2021 surveys, three out of four respondents in the US use banking apps to conduct their daily banking transactions, presenting a huge pool of targets for these trojans.

Most targeted

The United States tops the list of most affected countries with 121 targeted apps. The UK follows with 55 apps, Italy with 43, Turkey with 34, Australia with 33 and France with 31.

The Trojan that attacks the most applications is Teabot, which covers 410 out of 639 of the applications tracked, while Exobot also targets a sizeable pool of 324 applications.

The target application with the most downloads is PhonePe which is very popular in India with 100 million downloads from Play Store.

Binance, the popular cryptocurrency exchange app, has 50 million downloads. Cash App, a mobile payment service serving the US and UK, also has 50 million installs through the Play Store. Both are also targeted by several banking Trojans, even though they don’t offer traditional banking services.

The most widely used application is BBVA, a global online banking portal with tens of millions of downloads. This app is targeted by seven out of the ten most active banking Trojans.

The most prolific Trojans

According to Zimperium, the most prolific banking Trojans in the first quarter of this year are as follows.

  • BianLian – Targets Binance, BBVA and a number of Turkish apps. A new version of the Trojan discovered in April 2022 has a photoTAN bypass, which is considered a strong authentication method in online banking.
  • Cabassos – Targets Barclays, CommBank, Halifax, Lloys and Santander. Uses Domain Generation Algorithm (DGA) to evade detection and deactivation.
  • Coper – Targets BBVA, Caixa Bank, CommBank and Santander. It actively monitors the “allow list” for device battery optimization and modifies it to exempt itself from restrictions.
  • EventBot – Targets Barclays, Intensa, BancoPosta and various other Italian apps. It disguises itself as Microsoft Word or Adobe Flash and is able to download new malware modules from remote sources.
  • exobot – Targets PayPal, Binance, Cash App, Barclays, BBVA and CaixaBank. It is very small and light as it uses shared system libraries and only pulls overlays from the C2 when needed.
  • FluBot – Targeted BBVA, Caixa, Santander and various other Spanish apps. The botnet Trojan was notorious for its rapid spread via SMS and contact lists of compromised devices.
  • medusa – Targets BBVA, CaixaBank, Ziraat and a number of Turkish banking apps. It can perform fraud on the device by abusing the access service to act as a regular user on victim’s behalf.
  • sharkbot – Targets Binance, BBVA and Coinbase. It has a variety of detection bypass and anti-deletion functions, as well as strong C2 communication encryption.
  • teabot – Targets PhonePe, Binance, Barclays,, Postepay, Bank of America, Capital One, Citi Mobile and Coinbase. It has a dedicated keylogger for each app and loads it when the user launches it.
  • xenomorph – Targets BBVA and various EU based banking apps. It can also act as a dropper to fetch additional malware on the compromised device.

As can be seen from the above, each of the ten most prolific banking Trojans maintains its own relatively narrow target range, allowing the ecosystem to be balanced and employees to choose the tool that suits their target audience.

To protect yourself from all these threats, keep your device updated, only install apps from Google Play Store, check user reviews, visit developer’s website and keep count of installed apps on your device a minimum.

Leave a Comment