{
	"id": "ef1df9e2-9b05-4f4a-b850-3dad7c1ac577",
	"created_at": "2026-04-06T00:12:27.090464Z",
	"updated_at": "2026-04-10T03:30:33.792853Z",
	"deleted_at": null,
	"sha1_hash": "123cd3ff0680afa392cc5df9ab985d24b0ea3db0",
	"title": "Banking malware on Google Play targets Polish banks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1121233,
	"plain_text": "Banking malware on Google Play targets Polish banks\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 14:53:49 UTC\r\nESET Research\r\nBesides delivering the promised functionalities, the malicious apps can display fake notifications and login forms\r\nseemingly coming from legitimate banking applications, harvest credentials entered into the fake forms, as well as\r\nintercept text messages to bypass SMS-based 2-factor authentication.\r\n11 Dec 2017  •  , 3 min. read\r\nAnother set of banking Trojans has found its way past Google Play’s security mechanisms, this time targeting a\r\nnumber of Polish banks. The malware managed to sneak into Google Play disguised as seemingly legitimate apps\r\n“Crypto Monitor”, a cryptocurrency price tracking app, and “StorySaver”, a third-party tool for downloading\r\nstories from Instagram.\r\nBesides delivering the promised functionalities, the malicious apps can display fake notifications and login forms\r\nseemingly coming from legitimate banking applications, harvest credentials entered into the fake forms, as well as\r\nintercept text messages to bypass SMS-based 2-factor authentication.\r\nhttps://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/\r\nPage 1 of 6\n\nThe same trojan, only under a different disguise, was recently spotted on Google Play by researchers at RiskIQ,\r\nwho published their analysis of the threat in a November 9 report.\r\nThe malicious apps\r\nThe first of the malicious apps we came across, “Crypto Monitor”, was uploaded to the store on November 25,\r\n2017 under the developer name walltestudio. The other app, “StorySaver” with the developer name\r\nkirillsamsonov45, appeared on Google Play on November 29.\r\nTogether, the apps had reached between 1000 and 5000 downloads at the time we reported them to Google on\r\nDecember 4. Both apps have since been removed from the store.\r\nFigure 1 – The malicious apps discovered on Google Play\r\nAfter the malicious apps are launched, they compare the apps installed on the compromised device against a list of\r\ntargeted banking apps – in this case, the official apps of fourteen Polish banks (the list of specific banking apps\r\ncan be found at the end).\r\nIf any of the fourteen apps are found on the device, the malware can display fake login forms imitating those of\r\nthe targeted legitimate apps. This may happen without any action on the user’s side, or after the user clicks on a\r\nfake notification displayed by the malware, seemingly on behalf of the bank.\r\nhttps://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/\r\nPage 2 of 6\n\nFigure 2 – Fake notification displayed by the malicious “StorySaver” app\r\nhttps://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/\r\nPage 3 of 6\n\nFigure 3 – Left: Fake login form; Right: legitimate login form\r\nhttps://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/\r\nPage 4 of 6\n\nESET’s security systems detect the threat as Android/Spy.Banker.QL and prevent it from getting installed.\r\nESET telemetry shows that 96% of the detections come from Poland (the remaining 4% from Austria), apparently\r\ndue to local social engineering campaigns propagating the malicious apps.\r\nHow to stay safe\r\nThe good news is that this particular banking malware doesn’t use any advanced tricks to ensure its persistence on\r\naffected devices. Therefore, if you’ve installed any of the above described malicious apps, you can remove them\r\nby going to Settings \u003e (General) \u003e Application manager/Apps, searching for either “StorySaver” or “Crypto\r\nMonitor” and uninstalling them.\r\nThe bad news, however, is that if you have installed one of the apps on a device on which you use any of the\r\nfourteen targeted banking apps listed below, the crooks might already have access to your bank account. We\r\nadvise you to check your bank account for suspicious transactions and seriously consider changing pin codes.\r\nTo avoid falling prey to mobile malware in the future, make sure to always check app ratings and reviews, pay\r\nattention to what permissions you grant to apps, and use a reputable mobile security solution to detect and block\r\nlatest threats.\r\nTargeted banking apps\r\nFigure 4 – Icons of the targeted banking apps\r\nIoCs\r\nPackage Name Hash Phishing server\r\nin.crypto.monitor.coins 57A96D024E61F683020BE46173D74FAD4CF05806 nelis.at\r\ncom.app.storysavernew 757EA52DB39E9CDBF5E2E95485801E3E4B19020D sdljfkh1313.win\r\nSpecial thanks to Witold Precikowski for bringing one of the malicious apps to our attention.\r\nhttps://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/\r\nPage 5 of 6\n\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/\r\nhttps://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/"
	],
	"report_names": [
		"banking-malware-targets-polish-banks"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434347,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/123cd3ff0680afa392cc5df9ab985d24b0ea3db0.pdf",
		"text": "https://archive.orkl.eu/123cd3ff0680afa392cc5df9ab985d24b0ea3db0.txt",
		"img": "https://archive.orkl.eu/123cd3ff0680afa392cc5df9ab985d24b0ea3db0.jpg"
	}
}