{
	"id": "feff8859-0eda-453a-a618-07a00492a2cf",
	"created_at": "2026-04-06T00:19:22.223127Z",
	"updated_at": "2026-04-10T13:13:01.920563Z",
	"deleted_at": null,
	"sha1_hash": "097a15e3b29146eabf537f08e11337020e22a1be",
	"title": "Revive: from spyware to Android banking trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6555277,
	"plain_text": "Revive: from spyware to Android banking trojan\r\nBy Federico Valentini, Francesco Iubatti\r\nArchived: 2026-04-05 16:39:53 UTC\r\nKey Points\r\nOn June 15, 2022 a new Android Banking Trojan, dubbed as Revive, was discovered in the wild by Cleafy\r\nTIR team.\r\nAccording to the evidence found on its code and its command and control infrastructure (C2), Revive\r\nappears to be at its early stages.\r\nRevive appears to be delivered against Spanish citizens through phishing campaigns targeting customers of\r\na specific top-tier Spanish bank.\r\nRevive will enable Threat Actors (TA) to perform Account Takeover attacks, (ATO).  \r\nCurrently, Revive has three main capabilities:\r\n- Capturing everything written on the device through a keylogger module.\r\n- Performing \"on-device\" phishing attacks through the usage of clone pages, which aim to steal  banking\r\n login credentials.\r\n- Intercepting all SMS received on the infected device, typically from banks and financial institutions in the\r\nPSD2 area (e.g. authorization codes 2FA/OTP)\r\nTo increase the attacks' success-rate, TAs created a video explainer, to support victims during the\r\ninstallation once the malicious application has been downloaded.\r\nFigure 1 - Frames of the video shown inside the phishing website\r\nExecutive Summary\r\nIn June 2022, a new Android banking trojan was discovered by the Cleafy TIR team. Since the lack of information\r\nand the absence of a proper nomenclature of this malware family, we decided to dub it as Revive to better track\r\nthis family inside our internal Threat Intelligence taxonomy.\r\nThe name Revive has been chosen since one of the functionality of the malware (called by the TAs precisely\r\n“revive”) is restarting in case the malware stops working.\r\nRevive belongs to a category of malware used for persistent campaigns, as it was developed and tailored for a\r\nspecific target. This type of malware is quite different from other famous Android banking trojans, such as TeaBot\r\nhttps://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nPage 1 of 8\n\nor SharkBot, that are able, at the same time, to attack multiple banks/crypto apps installed on the infected device\r\nthrough their modular architecture.\r\nHowever, the attack’s methodologies of Revive are similar to other banking trojans as it still  abuses the\r\nAccessibility Services to perform keylogging activities and to intercept SMS messages of the victim. The\r\ncombination of these features are enough to perform Account Takeover attacks (ATO), since TAs are able to\r\nobtain login credentials and the 2FA/OTP sent via SMS by banks.\r\nSo far, both samples of Revive have a very low detection rate by Antivirus solutions (AVs). As shown by Figure 2,\r\nthe second sample has zero detection rate, since the malware is clearly still under development.\r\nFigure 2 – Two samples of Revive and their AV detection\r\nTechnical Analysis\r\nhttps://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nPage 2 of 8\n\nFigure 3 - Phishing website used to deliver Revive\r\nAs in the majority of cases, Revive uses different Social Engineering techniques to appear as a legitimate app in\r\norder to mislead the victims. In fact, the malware is delivered through a phishing page and it hides behind a new\r\n2FA app of the targeted bank.\r\nOnce the victim downloads the malware, Revive tries to obtain the Accessibility Service feature through a pop-up.\r\nThis permission is used for  functionality, therefore monitoring and stealing information from the victim device.\r\nFigure 4 – Installation of Revive\r\nWhen the victim opens the malicious app for the first time, Revive asks to accept two permissions related to the\r\nSMS and phone calls. After that, a clone page (of the targeted bank) appears to the user (as shown in Figure 5) and\r\nif the login credentials are inserted, they are sent to the C2 of the TAs. After that, the malware shows a generic\r\nhome page, with different links that redirect to the legitimate bank website.\r\nhttps://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nPage 3 of 8\n\nFigure 5 – Stolen credentials are sent to the C2\r\nAnalyzing the code, our hypothesis is that the developer of Revive  took inspiration from an open source spyware\r\ncalled “Teardroid”, available on GitHub[3], since there are some code and name similarities both in the\r\napplication and in the C2 infrastructure used. However, Teardroid is a spyware with different capabilities, while\r\nRevive has been developed with a different purpose. TAs removed some features of Teardroid and added new ones\r\nin this new variant, enabling ATO attacks. This is why Revive can be considered a banking trojan instead of a\r\nspyware.\r\nhttps://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nPage 4 of 8\n\nFigure 6 – Teardroid project hosted on Github\r\nFigure 7 – Example of comparison between Teardroid and Revive\r\nhttps://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nPage 5 of 8\n\nMoving to its C2 infrastructure, other similar features can be observed as well, since both of them appear to be\r\nbased on FastAPI, a Web framework for developing RESTful APIs in Python, similar to Django/Flask.\r\nIn fact, it appears that TAs also create a variant of the Teardroid control panel [4], adapting it for their needs\r\nduring a fraud operation (e.g. collecting valid credentials, intercepting SMS messages, etc..).\r\nThe following figure shows some of the similarities found during our investigation:\r\nFigure 8 – C2 infrastructure similarities\r\nRevive has been developed with the goal of performing ATO attacks against a specific target. In order to achieve\r\nthis task, the malware has three capabilities:\r\nSteal the login credentials. The following task can be achieved both with the clone page shown to the user\r\nand with the keylogger feature, through the abuse of the Accessibility Services.\r\nIntercept all messages received from the infected devices, with the aim of obtaining the 2FA of the bank\r\nsent to the user via SMS.\r\nGrab everything  that the user writes on the device (e.g credentials, messages, phone numbers etc, as shown\r\nin Figure 10). Those information are saved on a local database and sent to the C2 server.\r\nhttps://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nPage 6 of 8\n\nFigure 9 – Information stolen by Revive and sent to the C2 server\r\nFigure 10 - Keylogger functionality\r\n[3] https://github.com/ScRiPt1337/Teardroid-phprat\r\n[4] https://github.com/ScRiPt1337/Teardroidv4_api\r\nFinal Considerations\r\nConcurrently to the well-known Android Banking Trojan, like SharkBot, TeaBot or Oscorp/UBEL, that are\r\ncomplex malware with multiple features able to carry out advanced attacks like ATO/ATS, there are also small and\r\ntailored campaigns, probably conducted by local TAs. The latter types of scenarios sometimes could be more\r\ndifficult to intercept, since the malware are usually written from scratch (often not detected by antivirus solutions),\r\nwith few features tailored for only one target and the campaigns are carried out for only a few days.\r\nAt the time of writing, it is difficult to make an hypothesis about the future of Revive, since the malware is still in\r\nits early stages (although it is already able to perform ATO attacks); TAs could improve it following multiple paths\r\n(e.g.adding new features and transform Revive into a RAT or customizing the malware for other targets).\r\nAppendix 1: IOCs\r\nhttps://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nPage 7 of 8\n\nIoC Description\r\n4240473028f88a3ef54f86f1cd387f24\r\ncf704e63652c23c2d609e9a01659511c\r\nRevive samples\r\n80[.]85[.]153[.]49 C2 server\r\nbbva.appsecureguide[.]com\r\nbbva.european2fa[.]com\r\nPhishing website used to deliver Revive\r\nSource: https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nhttps://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan\r\nPage 8 of 8\n\n https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan  \nFigure 6-Teardroid project hosted on Github \nFigure 7-Example of comparison between Teardroid and Revive\n   Page 5 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/revive-from-spyware-to-android-banking-trojan"
	],
	"report_names": [
		"revive-from-spyware-to-android-banking-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434762,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/097a15e3b29146eabf537f08e11337020e22a1be.pdf",
		"text": "https://archive.orkl.eu/097a15e3b29146eabf537f08e11337020e22a1be.txt",
		"img": "https://archive.orkl.eu/097a15e3b29146eabf537f08e11337020e22a1be.jpg"
	}
}