{
	"id": "a5bf57f4-929c-418e-b637-57d26317abe6",
	"created_at": "2026-04-06T00:08:32.408165Z",
	"updated_at": "2026-04-10T03:30:32.879985Z",
	"deleted_at": null,
	"sha1_hash": "1a09ec141697d3bd98cccb953a2f7b8b5c87bdc8",
	"title": "New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1266005,
	"plain_text": "New Android Trojan “Xbot” Phishes Credit Cards and Bank\r\nAccounts, Encrypts Devices for Ransom\r\nBy Cong Zheng, Claud Xiao, Zhi Xu\r\nPublished: 2016-02-18 · Archived: 2026-04-05 15:41:31 UTC\r\nWe recently discovered 22 Android apps that belong to a new Trojan family we’re calling “Xbot”. This Trojan,\r\nwhich is still under development and regularly updated, is already capable of multiple malicious behaviors. It tries\r\nto steal victims’ banking credentials and credit card information via phishing pages crafted to mimic Google\r\nPlay’s payment interface as well as the login pages of 7 different banks’ apps. It can also remotely lock infected\r\nAndroid devices, encrypt the user’s files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal\r\ncash card as ransom. In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS\r\nmessages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.\r\nSo far the malware doesn’t appear to be widespread, and some markers in its code and faked app interfaces\r\nindicate, at least for now, it mainly appears to target Android users in Russia and Australia. Of note, of the seven\r\nbank apps it is seen to imitate, six of them belong to some of the most popular banks in Australia. However, Xbot\r\nwas implemented in a flexible architecture that could be easily extended to target more Android apps. Given we\r\nalso observed the author making regular updates and improvements, this malware could soon threaten Android\r\nusers around the world.\r\nXbot primarily uses is a popular attack technique called “activity hijacking” by abusing some features in Android.\r\nThe apps Xbot is mimicking are not themselves being exploited. Starting with Android 5.0, Google adopted a\r\nprotection mechanism to mitigate this attack but other attack approaches used by Xbot are still affecting all\r\nversions of Android.\r\nXbot’s Evolution and Spreading\r\nWe believe Xbot is a successor to the Android Trojan Aulrin that was first discovered in 2014. Xbot and Aulrin\r\nhave very similar code structures and behaviors, and some resource files in Aulrin are also in Xbot samples. The\r\nmain difference between them is that Xbot implements its behaviors using JavaScript through Mozilla’s Rhino\r\nframework, while Aulrin used Lua and .NET framework. The earliest sample of Xbot we found was compiled in\r\nMay 2015 and while comparing Xbot to Aulrin, it seemed to us the author re-wrote Aulrin using a different\r\nlanguage and framework. The author has also progressively made Xbot more complex; the most recent versions\r\nuse Dexguard, a legitimate tool intended to protect Android apps by making them difficult to reverse engineer or\r\nbe tampered with.\r\nWe are not clear how Xbot spreads in the wild. However, using VirusTotal we found samples that were hosted on\r\nthe below URLs over the past several months:\r\nhxxp://market155[.]ru/Install.apk\r\nhxxp://illuminatework[.]ru/Install.apk\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 1 of 11\n\nhxxp://yetiathome15[.]ru/Install.apk\r\nhxxp://leeroywork3[.]co/install.apk\r\nhxxp://morning3[.]ru/install.apk\r\nThere are several things that imply the developer of Xbot could be of Russian origin. The earlier versions of Xbot\r\ndisplayed a fake notification in Russian for Google Play phishing, there are Russian comments in its JavaScript\r\ncode, and the domains we’ve uncovered were registered via a Russian registrar. Xbot will also intercept SMS\r\nmessages from a specific bank in Russia and parse them for bank account information, which it will exfiltrate if\r\nfound. While later versions use English instead of Russian for the notification, the language was not changed\r\nelsewhere.\r\nFigure 1. Xbot's JavaScript code commented in Russian.\r\nPhishing for Credit Cards and Bank Accounts\r\nAfter being installed on an Android device, Xbot will start communicating with its C2 server. When certain\r\ncommands are received it will launch phishing attacks at users of Google Play and certain Australian bank apps.\r\nWe observed three different phishing approaches and one use of activity hijacking. The four approaches with their\r\ncommands are shown in Figure 2.\r\nFigure 2. Xbot's phishing commands.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 2 of 11\n\nIf the C2 command is “cc_notify”, Xbot will display a fake system notification to the victim with the Google Play\r\nlogo and the text “Add payment method” in either Russian or English (Figure 3). This imitates an actual popup the\r\nofficial Google Play app will show a user that has registered for the service but not yet provided a credit card.\r\nHowever, Xbot will display this whenever it receives the command, regardless of whether the Google Play app\r\nalready has a credit card tied to it.\r\nFigure 3. Code to display the fake notification in Russian or English.\r\nIf a victim clicks the fake notification, Xbot connects to its C2 server to download a webpage and display it with\r\nWebView. The page looks like Google Play’s actual interface for credit card information (Figure 4). Its user\r\ninteraction procedures are also almost exactly the same as the legitimate version. All information input into this\r\npage will be uploaded to its C2 server (Figure 5). The information it asks for includes:\r\ncredit card number\r\nexpiration date\r\nCVV number\r\ncard holder’s name\r\ncard holder’s billing address\r\ncard holder’s phone number\r\nVBV (Verified by Visa) or McSec (MasterCard SecureCode) number\r\nFigure 4. Fake Google Play payment pages.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 3 of 11\n\nFigure 5. JavaScript code for uploading credit card information.\r\nIf the C2 command is “cc_dialog”, the fake notification step will be skipped and the fake Google Play webpage\r\nwill be directly displayed to victims.\r\nIf the C2 command is “enable_inject”, Xbot will begin to monitor currently running apps via the\r\ngetRunningTasks() API in Android. If the app running in the foreground is Google Play or one of several\r\nAustralian bank apps (which is specified by the C2 server via the “add_inject” command), and immediately popup\r\nanother interface on the top of running app (Figure 6). This is a classic attack technique called “activity\r\nhijacking”. Note that Android 5.0 implemented a security enhancement to keep apps from getting running app\r\ninformation through the getRunningTasks() API. So this attack won’t be effective on devices running Android 5.0\r\nor later.\r\nFigure 6. Code for hijacking Google Play and banking apps.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 4 of 11\n\nIn the activity hijacking attack scenario, the faked app interfaces are also webpages downloaded from a C2 and\r\ndisplayed by WebView. So far we’ve found 7 different faked interfaces. We identified 6 of them – they’re\r\nimitating apps for some of the most popular banks in Australia. The interfaces are very similar to these banks’\r\nofficial apps’ login interfaces. If a victim fills out the form, the bank account number, password, and security\r\ntokens will be sent to C2 server (Figure 8).\r\nIt’s worth noting that, since Xbot’s C2 server can remotely decide which faked app webpage to display, it would\r\nbe easy to expand this attack to more apps without even having to update the code.\r\nFigure 7. Example of an Xbot banking app phishing interface.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 5 of 11\n\nFigure 8. JavaScript code for uploading bank login information.\r\nLocking, Encrypting, and Ransoming\r\nAfter being installed, Xbot asks the user to authorize it as a device administrator. Then, if the C2 server sends the\r\ncommand “killon”, it will change the phone to silent mode, reset the password to “1811blabla”, then toggle the\r\ndevice screen to activate the new password.\r\nFigure 9. Code to change the device password.\r\nIf the C2 command is “enable_locker”, Xbot will display a ransom webpage claiming to be Cryptolocker, still\r\nusing WebView, from either “hxxp://23[.]227.163.110/locker.php” or another address specified by the C2 server.\r\nWhen we analyzing the sample, the webpage came from its C2 server, as seen in Figure 10:\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 6 of 11\n\nFigure 10. Xbot ransom page.\r\nXbot will also start the onBackPressed(), onDestroy() and onPause() callback methods to prevent the user from\r\nexiting. Xbot will also encrypt the victim’s files in external storage (Figure 11). Currently, the encryption\r\nalgorithm is pretty simple: just XOR each byte in all files by the fixed integer number 50.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 7 of 11\n\nFigure 11. Code to encrypt files in external storage.\r\nAccording to the ransom webpage, the victim has to purchase a U.S. $100 PayPal My Cash Card from\r\nwww.paypal-cash[.]com, and input the card number within 5 days. The webpage also says it’s impossible to\r\ndecrypt the files by yourself, which is obviously not true for existing samples.\r\nIt should be noted that since the ransom page comes from a remote server, the attacker can update it to change the\r\npayment method and/or the amount of money at any time.\r\nInformation Stealing\r\nXbot has some additional capabilities. It will collect all contacts’ names and phone numbers and upload them to its\r\nC2 server, as well as all new SMS messages. In some samples, Xbot will also intercept and parse specific SMS\r\nmessages. It parses all SMS messages sent by a specific premium rate SMS short number in an attempt to collect\r\nthe victim’s account and confirmation numbers from a bank in Russia, and then uploads the information to its C2\r\nserver.\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 8 of 11\n\nFigure 12. Code to steal SMS messages from a bank in Russia.\r\nConclusion\r\nWhile Android users running version 5.0 or later are so far protected from some of Xbot’s malicious behaviors, all\r\nusers are vulnerable to at least some of its capabilities. As the author appears to be putting considerable time and\r\neffort into making this Trojan more complex and harder to detect, it’s likely that its ability to infect users and\r\nremain hidden will only grow, and that the attacker will expand its target base to other regions around the world.\r\nWe’ll continue to watch and report on this threat as the attacker introduces new versions. We also want to re-emphasize that the banking apps imitated by Xbot are not themselves being exploited.\r\nCustomers of Palo Alto Networks are protected with our WildFire, URL filtering, and IPS services. An AutoFocus\r\ntag has also been created to identify this family and its variants. Customers can also refer to IPS signature (13997)\r\nfor details about Xbot C2 traffic information.\r\nAcknowledgments\r\nWe greatly appreciate the help from Rongbo Shao, Yi Ren, Bowen Jiao, Michael Scott, Jen Miller-Osborn, Chad\r\nBerndtson, Chris Clark, and Ryan Olson from Palo Alto Networks in working on the analysis and coverage of\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 9 of 11\n\nXbot family.\r\nIOCs\r\nSample hashes\r\ndfda8e52df5ba1852d518220363f81a06f51910397627df6cdde98d15948de65\r\ne905d9d4bc59104cfd3fc50c167e0d8b20e4bd40628ad01b701a515dd4311449\r\nf2cfbc2f836f3065d5706b9f49f55bbd9c1dae2073a606c8ee01e4bbd223f29f\r\n029758783d2f9d8fd368392a6b7fdf5aa76931f85d6458125b6e8e1cadcdc9b4\r\n1264c25d67d41f52102573d3c528bcddda42129df5052881f7e98b4a90f61f23\r\n20bf4c9d0a84ac0f711ccf34110f526f2b216ae74c2a96de3d90e771e9de2ad4\r\n33230c13dcc066e05daded0641f0af21d624119a5bb8c131ca6d2e21cd8edc1a\r\n4b5ef7c8150e764cc0782eab7ca7349c02c78fceb1036ce3064d35037913f5b6\r\n7e939552f5b97a1f58c2202e1ab368f355d35137057ae04e7639fc9c4771af7e\r\n93172b122577979ca41c3be75786fdeefa4b80a6c3df7d821dfecefca1aa6b05\r\na22b55aaf5d35e9bbc48914b92a76de1c707aaa2a5f93f50a2885b0ca4f15f01\r\nd082ec8619e176467ce8b8a62c2d2866d611d426dd413634f6f5f5926c451850\r\na94cac6df6866df41abde7d4ecf155e684207eedafc06243a21a598a4b658729\r\n58af00ef7a70d1e4da8e73edcb974f6ab90a62fbdc747f6ec4b021c03665366a\r\n7e47aaa8a1dda7a413aa38a622ac7d70cc2add1137fdaa7ccbf0ae3d9b38b335\r\nd1e5b88d48ae5e6bf1a79dfefa32432b7f14342c2d78b3e5406b93ffef37da03\r\nc2354b1d1401e31607c770c6e5b4b26dd0374c19cc54fc5db071e5a5af624ecc\r\n12f75b8f58e1a0d88a222f79b2ad3b7f04fd833acb096bb30f28294635b53637\r\n1b84e7154efd88ece8d6d79afe5dd7f4cda737b07222405067295091e4693d1b\r\n616b13d0a668fd904a60f7e6e18b19476614991c27ef5ed7b86066b28952befc\r\n2e2173420c0ec220b831f1c705173c193536277112a9716b6f1ead6f2cad3c9e\r\n595fa0c6b7aa64c455682e2f19d174fe4e72899650e63ab75f63d04d1c538c00\r\nC2 Servers and Malicious URLs\r\nmelon25[.]ru\r\n81[.]94.205.226:8021\r\n104[.]219.250.16:8022\r\nhxxp://52[.]24.219.3/action.php\r\nhxxp://192[.]227.137.154/request.php\r\nhxxp://23[.]227.163.110/locker.php\r\nhxxp://market155[.]ru/Install.apk\r\nhxxp://illuminatework[.]ru/Install.apk\r\nhxxp://yetiathome15[.]ru/Install.apk\r\nhxxp://leeroywork3[.]co/install.apk\r\nhxxp://morning3[.]ru/install.apk\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 10 of 11\n\nSource: https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devic\r\nes-for-ransom/\r\nhttps://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
	],
	"report_names": [
		"new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434112,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a09ec141697d3bd98cccb953a2f7b8b5c87bdc8.pdf",
		"text": "https://archive.orkl.eu/1a09ec141697d3bd98cccb953a2f7b8b5c87bdc8.txt",
		"img": "https://archive.orkl.eu/1a09ec141697d3bd98cccb953a2f7b8b5c87bdc8.jpg"
	}
}