# Cerberus is Dead, Long Live Cerberus?

**blog.cyberint.com/cerberus-is-dead-long-live-cerberus**

## Executive Summary


November 5, 2020


This blog provides an overview of the situation surrounding the release of the source code,
and supplementary ‘injection’ files, for the Android banking trojan ‘Cerberus’. In addition to
the source code for two versions of the malicious application along with the control panel
being freely available on various underground forums, over two hundred injection files, those
being HTML pages that mimic the look of legitimate Android apps, have been distributed and
could allow the theft of credentials and/or payment card data.

Given that the current threat from Cerberus was countered by Google Play Protect, Google’s
own Android antimalware solution, other threat actors may act on comments from Cerberus’
creators to restore the threat, or simply use the source code to create, or further develop,
their own Android threats.

Recent reports indicate that Cerberus is now targeting Android users in Russia as well as
countries within the Commonwealth of Independent States (CIS), suggesting that some ‘lesspatriotic’ threat groups have modified the source code and removed these previously defined
‘safe countries’. Other than this activity, no other regions have been specifically identified at
increased risk.


-----

As time elapses and threat actors gain a better understanding of the released code, others
may seek to utilize it, or the injection pages, in their own threats or campaigns. This is
especially true given the availability of a Cerberus ‘installation service’, costing just USD 300,
that could allow a lower-sophistication threat actor to gain access to a working Cerberus
control panel with Android application package (APK) builder for a fraction of its former cost.

## Introduction

Believed to have been in development for some time and used privately for around two years
prior to being first observed by cybersecurity researchers in June 2019, Cerberus is an
Android banking trojan that was available via a malware-as-as-service (Maas) offering as
advertised on underground forums (Figure 1).

_Figure 1 – Cerberus advertisement banners (Bottom: Updated for Cerberus V2)_

As is common for threats of this nature, Cerberus supports various capabilities out-of-thebox, such as the ability to interact with, and steal data from, a compromised device including
contacts, SMS interception and call forwarding, as well as selling addons in the form of
‘injections’ that allow credentials and/or payment card data to be stolen from specific
legitimate applications.

Reportedly earning the creators at least USD 10,000 a month during its peak, not
withstanding any ill-gotten gains made from stolen data, the MaaS model used to rent
access to Cerberus’ infrastructure was, when not discounted (Figure 2), available in three
packages (USD 4,000 for 3 months, USD 7,000 for 6 months and USD 12,000 for one year
of access) in addition to injections reportedly selling for USD 4,000 each.


-----

_Figure 2 – Cerberus ‘Winter Sale’_

Having purchased a licence, nefarious users would gain access to the Cerberus control
panel which allowed them to build an Android application package (Figure 3), in the form of
an ‘APK’ file ready for distribution to victims, as well as providing them with the ability to
manage their compromised devices and access any stolen data (Figure 4).


-----

Figure 3 – Cerberus APK builder (added to the platform in July 2019)


-----

_Figure 4 – Cerberus Control Panel_

Having configured and generated an APK payload file, threat actors would then need to
deliver this to victims likely through the use of social engineering tactics and campaigns such
as ‘fake media player’ messages shown to Android users visiting a compromised or
malicious website (Figure 5) as well as fake mobile apps uploaded to various app stores and
even the use of COVID-19 themes during the global pandemic.

_Figure 5 – Cerberus distributed via fake Adobe Flash Player (Credit: ESET Research)_

Reportedly one of the most successful Android banking trojans and MaaS threats of 2019
and into 2020, Cerberus’ reign came to a somewhat abrupt end in August 2020 with the
creator citing ‘internal issues’ that prevented ongoing development and undoubtedly
contributed to the threat being detected and blocked by Google’s built-in antimalware
protection ‘Google Play Protect’.

## Attempted Sale


-----

Whilst still in development as late as 21 July 2020, seemingly the period between 22 and 26
July 2020 saw Cerberus being detected by Google Play Protect and customers taking to the
forum to complain about their ‘bots dropping off’.

In response to these complaints, ‘Android’, Cerberus’ creator or the group’s spokesperson,
suggested on 28 July 2020 that the threat was still operational, albeit requiring the use of a
‘cryptor’ to prevent detection (Figure 6).

_Figure 6 – ‘Android’ responding in English, rather than Russian, to various complaints about_
_Cerberus on 28 July 2020_

Tools known as ‘cryptors’ are often used by malware authors and utilize various encryption
routines to thwart the analysis of malicious binaries as well as obfuscating or modifying their
code to evade detection signatures. In this instance, it appears that the solution to Cerberus’
problems was not as simple as using a ‘cryptor’ and was promptly followed by the group
ceasing development following ‘internal issues’.

In addition to the threat group reportedly disbanding, with existing Ceberus infections being
in-operational due to their detection, the malware-as-a-service (MaaS) offering, including all
source code, installation guides, and setup scripts along with details of current and
prospective customers, was reportedly offered for auction at the end of July 2020 with a
starting price of USD 50,000 and a ‘buy-it-now’ price of USD 100,000.

Appearing somewhat steeply priced, it is likely that a suitably motivated and skilled threat
actor could have recouped their outlay within a year, especially given the reported USD
10,000 monthly earnings, although, given that the auction failed to find a buyer, the ‘market’
didn’t agree with this valuation or the viability of Cerberus following its detection by Google
Play Protect.

## Source Code Release

Following the failed auction attempt, and potentially in an attempt to restore confidence in the
group, ‘Android’ posted a message to the ‘XSS[.]is’ forum on 5 August 2020 to confirm that
they would be fulfilling any financial commitments to existing customers, presumably by
refunding them any access payments, and that the source code would be made available to
the forum’s members (Figure 7).


-----

Figure 7 – Forum post indicating the release of the Cerberus Source Code to members of
XSS[.]is

Translation:

v2 version. Flipper.

Since our team (before that the team) ran this business cleanly, as beautifully as possible,
we will finish it beautifully.

For 70% of clients, financial obligations have already been closed. The remaining ones are
asked to unsubscribe in a PM or Telegram, do not forget to write your Jabber, the license key
and the server IP. This is so that I can be sure that you are the owner of the license. It is also
advisable to attach the APK file.

Sources to be torn apart, especially for xss[.]is

Cerberus v1 + Cerberus v2 + install scripts + admin panel + sql db

Seemingly available on various underground forums from around 7 August 2020, a
subsequent post by ‘Android’ on the XSS[.]is forum on 10 August 2020 included a cleanedup archive (Figure 8).

Figure 8 – Cerberus source code release on XSS[.]is

Translation:

Guys, and wrap-up.


-----

Cerberus v1 + Cerberus v2 + install scripts + admin panel + sql db

Archive cleared of garbage.

Everything for those who want to start their own business. Full pack.
In the header, I replaced the link to it.

For moderators, please re-upload to other [file sharing services] so that the file will live for a
long time.

Analysis of the source code archive indicates that the directories have modification dates of
5 August 2020, confirming the archive creation of the file that aligns with the forum posts,
whilst the files, excluding any open-source libraries used, have various modification dates
between 31 March 2019 and July 21 2020, again consistent with what is known about
Cerberus’ recent development.

**_Note: For reference, sample file hashes for the released Cerberus source code are provided_**
_in Appendix A._

Included within the main archive are four main directories:
```
   moduleBot2 – Java source code and assets for the Cerberus v2 Android payload

```
including build files for use with the ‘Gradle’ build automation tool. Based on application
icons found within the directory structure, the threat appears to mimic a ‘Santander’
banking app but it is understood that this would be customizable when using the
‘builder’ control panel.
```
   panel_v2 – HTML, JavaScript and PHP source code for the server that provides the

```
Cerberus control panel, APK payload builder and the command and control (C2) callhome ‘gate.php’ script. Notably, the payload builder takes parameters from the threat
actor and then executes the Gradle build automation tool before allowing the payload
to be downloaded. Additionally, ‘cryptor’ code appears within this directory that could
allow payloads to thwart analysis or detection albeit, based on the Google Play Protect
detection, this has been countered.
```
   restapi_v2 – Seemingly allowing interactions between bots and the C2

```
server/control panel, the REST API directory includes PHP code and provides an
insight into the status of a bot including the relatively short period of time elapsed for it
to be considered ‘dead’ (albeit understandable given that most people will keep their
mobile phone online at all times):
```
      0 – Online (Bot has been visible within the last 2 minutes);
      1 – Offline (Bot has been visible within the 40hrs but not last 2 minutes);
      2 – Dead (Bot has not been seen within the last 40hrs);

```

-----

```
   source_mmm – Java source code and assets for the Cerberus v1 Android payload,

```
again including build files for use with the ‘Gradle’ build automation tool.
Furthermore, a SQL dump file is included within the archive and provides an insight
into the backend database behind the Cerberus control panel. In addition to this
database backup detailing the data stored on bots and compromised hosts, base64encoded ‘injects’ are included to mimic and steal credentials or payment card data by
posing as the following Android applications:

Connect for Hotmail & Outlook ( com.connectivityapps.hotmail )
Gmail ( com.google.android.gm )
Imo ( com.imo.android.imoim )
Instagram ( com.instagram.android )
[mail.com Mail ( com.mail.mobile.android.mail )](http://mail.com/)
Microsoft Outlook ( com.microsoft.office.outlook )
Snapchat ( com.snapchat.android )
Telegram ( org.telegram.messenger )
Twitter ( com.twitter.android )
Uber ( com.ubercab )
Viber Messenger ( com.viber.voip )
WeChat ( com.tencent.mm )
WhatsApp Messenger ( com.whatsapp )
Yahoo Mail ( com.yahoo.mobile.client.android.mail )

## Current Capabilities

Whilst the immediate threat from Cerberus has been countered by Google Play Protect, the
release of the source code provides other threat actors with the ability to analyse and
understand how Cerberus’ modular capabilities were implemented, potentially allowing
others to extend them or reuse the code in other Android threats.

As is to be expected of a successful Android threat, Cerberus claims to work on devices
using Android 5 or later and, have gained ‘accessibility’ permissions, can automatically
permit additional permissions for itself including:
```
   android.permission.INTERNET ;
   android.permission.CALL_PHONE ;
   android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS ;

```

-----

```
   android.permission.WAKE_LOCK ;

```
Given these permissions, many capabilities can be identified, such as those that are
consistent with a remote access trojan gaining access to, and control over, the device:

Screenshot and audio recording;
Keylogging from within applications;
Access and exfiltrate contacts;
Device location tracking;
Application download, execution and removal;
Device lock;
Mute all device sound and disable vibrate alerts;

Additionally, specific banking trojan capabilities provide the means to gather credentials and
payment card data as well as thwarting additional security measures such as one-time
passwords, multi-factor authentication and voice calls:

Access, send, receive and delete SMS (ideal for capturing one-time passwords);
Call forwarding (potentially allowing the interception of voice calls);
Credential and payment card data theft through application injections;
Local installation and automatic (timed) enable of injections to allow operation with
limited network coverage;
Theft of multi-factor authentication codes from Google Authenticator;

In an attempt to evade security controls and thwart analysis, Cerberus implemented antiemulator code to ensure that it was only executed on a valid physical device, attempted to
disable Google Play Protect, albeit until its detection, and provided a self-destruct
mechanism to remove traces of the bot to prevent post-incident analysis.

Finally, command and control (C2) traffic is RC4 encrypted and base64-encoded using a
random key. Subsequently, ‘call home’ communications include useful data about the device
which is viewable within the control panel:

Android operating system version;
Battery status;
Device manufacturer/model;
IP address;
Network operator;
Telephone number;
System locale (Country and language);
Screen status (Locked or Unlocked);
Google Play Protect status;
SMS intercept status;
Availability of bank, card and email credentials/data;


-----

Infection date and bot up-time;
Telephone activity, used to determine if it is an emulator;

Features: hide SMS, lock device, mute sound, keylogger, injection

## Injections

Cerberus makes use of ‘injections’ to target legitimate applications, including those related to
banking, email, messaging, retail and social media, with pages that mimic the targeted
application interface and prompt for credentials and/or payment card details from the victim
(Figure 9).

_Figure 9 – Example ‘injects’ mimicking legitimate application interfaces_

These HTML-based injects are provided as a single file asset, allowing them to be easily
stored within the command and control (C2) database and distributed to victim devices,
integrating cascading style sheets (CSS) to ensure the layout is consistent with the targeted
application as well as embedding base64-encoded images (Figure 10).

_Figure 10 – Example embedded base64-encoded PNG image within the inject HTML file_

Once deployed, a victim would be presented with the inject when attempting to access a
targeted application and, assuming they fall for the ruse, the data entered is inserted into a
JSON data structure ready for exfiltration by Cerberus to the C2 infrastructure.


-----

Seemingly a starter kit was offered by Cerberus with a handful of injections to target Italy,
France, Turkey and the United States, whilst additional injections could be purchased (Figure
11).

_Figure 11 – Cerberus ‘Tweet’ indicating the sale of injects_

Notably, in addition to base64-encoded injects embedded within the SQL dump file
distributed with the Cerberus control panel source code, archives of this recent release
distributed on underground forums include over 200 additional inject files potentially including
some that would have previously been charged for.

**_Note: For reference, a full list of the injects distributed with the Cerberus source code are_**
_provided in Appendix B._

Given that these inject files mimic many current mobile applications, the release of this large
set could allow other malware authors to incorporate them into their own mobile threats as
well as being of use to any threat actor that can make use of, or further develop, the
Cerberus source code.

## Potential Future Developments

 Increased Targeting


-----

As is common with cybercrime threats originating from Russia or countries within the
Commonwealth of Independent States (CIS), threat actors will only target victims in other
countries as confirmed by a string variable within Cerberus’ source code containing a safe
list of country codes:

```
public String strCIS = "[ua][ru][by][tj][uz][tm][az][am][kz][kg][md]";

```

Since the public release of Cerberus’ source code, other seemingly less-patriotic threat
actors have removed or modified this restriction and there is now reportedly an increase in
victims within Russia and CIS countries.

Aside than this shift in targeting, no other region has been identified as suffering from
increased attacks although, with time, other threat actors may seek to leverage their access
to the source code and potentially launch attacks in regions where Android devices are
prevalent whilst less likely to be protected by current versions of Google Play Protect.

## Variants

In addition to threat actors taking the Cerberus source code ‘as-is’ and attempting to launch
their own campaigns, especially given that an ‘enterprising’ user on the XSS[.]is forum is
offering an installation service for just USD 300 (Figure 12), others may seek to build upon
the existing code or create their own variants to resolve the issues that caused Google Play
Protect to detect the threat.

_Figure 12 – XSS[.]is forum member offering proof of their Cerberus install service_


-----

One such example that has been reported as a variant of Cerberus is a threat dubbed Alien
although, both the creators of Alien and Cerberus have denied any link between the two.

Providing any would-be successor with the necessary information to resolve Cerberus’
issues, two suggestions are given to counter Google Play Protect’s ability to scan application
resources (Figure 13).

Figure 13 – Denial of link to ‘Alien’ and Cerberus ‘solution’ proposals
Translation:

Alien is based entirely on Anubis.

Our bot died due to one problem, the play-protection started scanning the resources of the
APK file.

Initially, Cerberus was developed as a modular bot, loading malicious code into resources,
and at that time Play Protect was unable to scan application resources.

At the moment, our module has signatures, and bots “die” when it is loaded. The solution is
to remove the module from the code and encrypt the entire APK, but then the size of the
APK will be very large.

Solution number two: encrypt the module.

Why didn’t we do it?

We had one module for all clients, and since the team was crumbling, it was not possible to
find new programmers who would make their own module for each client individually.

As a result, our clients could not encrypt the module for themselves. We encrypted the
module 5 times, and each crypt fell the next day according to the signatures, and in the end
our hands dropped, since this is not a solution to the problem.

Whilst it is likely only a matter of time before a suitably skilled nefarious developer resolves
the issues with Cerberus, the release of the source code will undoubtedly assist the Google
Play Protect team in creating countermeasures. That being said, organizations should still
encourage users to, and individuals should, be cautious whenever prompted to install
Android packages (APK) from unverified sources, be that a browser pop-up, an email or from
a third-party app marketplace.


-----

## Appendix A – Samples

The following SHA-256 file hashes relate to the leaked files, as observed on multiple
underground forums, and may prove beneficial to security professionals wishing to perform
their own analysis of the threat:

Initial source code release `cerberus_full_package.7z`
```
      2ba17fabce13866b6f161250f00d85e14fefc6334dc1bdd881bb71ba41a69d80

```
‘Cleaned-up’ source code release `CERBERUS_V2.zip`
```
      733fc478acd6ef668f88131f505921fddc88e9a207e5ee304b37babf0b8a553d

```
Injections collection `injects.zip`
```
      856ea6fd89f431274335614e91fdd83a99aaa3243395a28d7e55307a04090923

```
Bundle containing the above, released on ‘Alphazine[.]ru’ `cerberus.zip`
```
      beabdc7eedea45771c11e2319f810035fdbf67e725b593a80ef54438ee3731f5

```
Given the current status of Cerberus, indicators of compromise (IOC) related to past
Cerberus threats are somewhat redundant although the command and control (C2) Tor
hidden service still appears to be accessible via `cerberesfgqzqou7.onion (Figure 14).`

_Figure 14 – Cerberus control panel Tor hidden service_


-----

Additionally, the following HTTP command and control (C2) communication strings were
observed within the source code and may appear in derivative works:
```
   action=getinj&data= ;
   action=injcheck&data= ;
   action=botcheck&data= ;
   ||no|| ;
   action=registration&data= ;
   action=sendInjectLogs&data= ;
   action=sendSmsLogs&data= ;
   action=timeInject&data= ;public String str_http_19 =

```
“action=sendKeylogger&data=”; public String str_http_20 = “action=getModule&data=”;
public String str_http_21 = “action=checkAP&data=”;
```
   action=sendKeylogger&data= ;
   action=getModule&data= ;
   action=checkAP&data= ;

## Appendix B – Injections

```
Injection files have been provided alongside the Cerberus source code and target the
following legitimate Android applications:

ABANCA Empresas `com.abanca.bancaempresas`
ABANCA Banca Móvil `es.caixagalicia.activamovil`
ABN AMRO Mobiel Bankieren `com.abnamro.nl.mobile.payments`
Akbank `com.akbank.android.apps.akbank_direkt`
Allegro `pl.allegro`
Amazon Shopping `com.amazon.mShop.android.shopping`
ASB Mobile Banking `nz.co.asb.asbmobile`
Banca Digital Liberbank `es.liberbank.cajasturapp`
Banca Móvil Laboral Kutxa `com.tecnocom.cajalaboral`
Banca MPS `copergmps.rt.pf.android.sp.bmps`
Banca Transilvania `ro.btrl.mobile`
Banco Caixa Geral España `es.caixageral.caixageralapp`
Banco Itaú Empresas `com.itau.empresas`
Banco Sabadell `net.inverline.bancosabadell.officelocator.android`
Bank Austria MobileBanking `com.bankaustria.android.olb`
Bank Hapoalim (בנק הפועלים) `com.ideomobile.hapoalim`
Bank Millennium `wit.android.bcpBankingApp.millenniumPL`
Bank Millennium for Companies `pl.millennium.corpApp`
Bank of America Mobile Banking `com.infonow.bofa`
Bank of Melbourne Mobile Banking `org.bom.bank`
Bankia `es.cm.android`


-----

Bankinter Móvil `com.bankinter.launcher`
BankSA Mobile Banking `org.banksa.bank`
Banque `com.caisseepargne.android.mobilebanking`
Banque Populaire `fr.banquepopulaire.cyberplus`
Banque pour tablettes Android `com.caisse.epargne.android.tablette`
Barclays `com.barclays.android.barclaysmobilebanking`
Barclays Kenya `com.barclays.ke.mobile.android.ui`
BBVA Net Cash `com.bbva.netcash`
BBVA Spain `com.bbva.bbvacontigo`
BEA (東東亞亞銀銀行行) `com.mtel.androidbea`
Bendigo Bank `com.bendigobank.mobile`
BHIM UPI, Money Transfer, Recharge & Bill Payment `com.mobikwik_new`
Bi en Línea `gt.com.bi.bienlinea`
Bill Payment & Recharge,Wallet `com.oxigen.oxigenwallet`
Binance `com.binance.dev`
bitbank `cc.bitbank.bitbank`
Bitcoin Wallet Coincheck `jp.coincheck.android`
Blockchain Wallet `piuk.blockchain.android`
BMO Mobile Banking `com.bmo.mobile`
BNL `it.bnl.apps.banking`
BNP Paribas GOMobile `com.finanteq.finance.bgz`
BOCHK `com.bochk.com`
BOQ Mobile `com.bankofqueensland.boq`
Boursorama Banque `com.boursorama.android.clients`
BPI APP `pt.bancobpi.mobile.fiabilizacao`
BPS Mobilnie `pl.bps.bankowoscmobilna`
BusinessPro Lite `pl.bph`
CA24 Mobile `com.finanteq.finance.ca`
CaixaBank `es.lacaixa.mobile.android.newwapicon`
Caixadirecta `cgd.pt.caixadirectaparticulares`
Cajalnet `es.ceca.cajalnet`
Cajasur `com.cajasur.android`
Capital One® Mobile `com.konylabs.capitalone`
Carige Mobile `it.carige`
Carrefour Finance `be.fimaser.smartphone`
Ceneo `pl.ceneo`
CEPTETEB `com.teb`
Chase Mobile `com.chase.sig.android`
CIBC Mobile Banking `com.cibc.android.mobi`
CIC `com.cic_prod.bad`
Citi Handlowy `com.konylabs.cbplpat`
CMSO my bank `com.arkea.android.application.cmso2`


-----

Coinbase Wallet — Crypto Wallet & DApp Browser `org.toshi`
comdirect mobile App `de.comdirect.android`
CommBank `com.commbank.netbank`
Commerzbank Banking `de.commerzbanking.mobil`
Connect for Hotmail & Outlook `com.connectivityapps.hotmail`
Consorsbank `de.consorsbank`
Credem `com.CredemMobile`
Crédit du Nord pour Mobile `com.ocito.cdn.activity.creditdunord`
Crédit Mutuel `com.cm_prod.bad`
Crédit Mutuel de Bretagne `com.arkea.android.application.cmb`
ČSOB Smartbanking `cz.csob.smartbanking`
CUA Mobile Banking `au.com.cua.mb`
DB Pay `com.db.pbc.DBPay`
Deutsche Bank Mobile `com.db.pwcc.dbmobile`
Discount Bank `com.ideomobile.discount`
Discover Mobile `com.discoverfinancial.mobile`
DKB-Banking `de.dkb.portalapp`
Empik `com.empik.empikapp`
Empik Foto `com.empik.empikfoto`
[Enpara.com Cep Şubesi](http://enpara.com/) `finansbank.enpara`
eurobank mobile 2.0 `pl.eurobank2`
EVO Banco móvil `es.evobanco.bancamovil`
Fifth Third Mobile Banking `com.clairmail.fth`
Fortuneo, mes comptes banque & bourse en ligne `com.fortuneo.android`
Garanti BBVA Mobile `com.garanti.cepsubesi`
Getin Mobile `com.getingroup.mobilebanking`
Gmail `com.google.android.gm`
GMO Wallet `com.gmowallet.mobilewallet`
Grupo Cajamar `com.grupocajamar.wefferent`
Halifax Mobile Banking `com.grppl.android.shell.halifax`
Halkbank Mobil `com.tmobtech.halkbank`
HSBC Mobile Banking `com.htsu.hsbcpersonalbanking`
HVB Mobile Banking `eu.unicreditgroup.hvbapptan`
Ibercaja `es.ibercaja.ibercajaapp`
iBiznes24 mobile `pl.bzwbk.ibiznes24`
iBOSStoken `hr.asseco.android.mtoken.bos`
IDBI Bank GO Mobile+ `com.snapwork.IDBI`
Idea Bank PL `pl.ideabank.mobilebanking`
IKO `pl.pkobp.iko`
Imagin `com.imaginbank.app`
imo free video calls and chat `com.imo.android.imoim`
iMobile by ICICI Bank `com.csam.icici.bank.imobile`


-----

ING Banking to go `de.ingdiba.bankingapp`
ING Business `com.comarch.security.mobilebanking`
ING España `www.ingdirect.nativeframe`
ING Italia `it.ingdirect.app`
Instagram `com.instagram.android`
Intesa Sanpaolo Mobile `com.latuabancaperandroid_2`
Intesa Sanpaolo Mobile `com.latuabancaperandroid`
iPKO biznes `pl.pkobp.ipkobiznes`
İşCep `com.pozitron.iscep`
Kraken Pro `com.kraken.trade`
Kutxabank `com.kutxabank.android`
Kuveyt Türk `com.kuveytturk.mobil`
L’Appli Société Générale `mobi.societegenerale.mobile.lappli`
La Mia Banca `com.db.pbc.miabanca`
La Poste `fr.laposte.lapostemobile`
Leumi (לאומי) `com.leumi.leumiwallet`
Liquid by Quoine `com.quoine.quoinex.light`
Lloyds Bank Mobile Banking `com.grppl.android.shell.CMBlloydsTSB73`
Ma Banque `fr.creditagricole.androidapp`
[mail.com mail](http://mail.com/) `com.mail.mobile.android.mail`
mBank PL `pl.mbank`
Mes Comptes `fr.lcl.android.customerarea`
Mes Comptes BNP Paribas `net.bnpparibas.mescomptes`
Mi Banco db `com.db.pbc.mibanco`
Mi Banco Mobile `com.popular.android.mibanco`
Microsoft Outlook `com.microsoft.office.outlook`
Mizrahi Bank (מזרחי טפחות) `com.MizrahiTefahot.nh`
Mobile Banking UniCredit `com.unicredit`
Mobile BiznesPl@net `com.comarch.mobile.banking.bgzbnpparibas.biznes`
Mobilni Banka `eu.inmite.prj.kb.mobilbank`
Mobilny Portfel `pl.raiffeisen.nfc`
Mój Orange `pl.orange.mojeorange`
Moje ING mobile `pl.ing.mojeing`
myAT&T `com.att.myWireless`
N26 Mobile Banking `de.number26.android`
NAB Mobile Banking `au.com.nab.mobile`
NBapp Spain `com.indra.itecban.mobile.novobanco`
Nest Bank nowy `pl.nestbank.nestbank`
NETELLER `com.moneybookers.skrillpayments.neteller`
norisbank App `com.db.mm.norisbank`
Oney France `fr.oney.mobile.mescomptes`
Openbank `es.openbank.mobile`


-----

Papara `com.mobillium.papara`
PayPal Mobile Cash `com.paypal.android.p2pmobile`
Pekao24Makler `eu.eleader.mobilebanking.pekao`
PekaoBiznes24 `eu.eleader.mobilebanking.pekao.firm`
PeoPay `softax.pekao.powerpay`
People’s Choice Credit Union `com.fusion.ATMLocator`
Pibank `es.pibank.customers`
plusbank24 `eu.eleader.mobilebanking.invest`
Pocket Bank `ma.gbp.pocketbank`
Postbank Finanzassistent `de.postbank.finanzassistent`
Postepay `posteitaliane.posteapp.apppostepay`
QNB Finansbank Mobile Banking `com.finansbank.mobile.cepsube`
Raiffeisen ELBA `com.isis_papyrus.raiffeisen_pay_eyewdg`
Raiffeisen Smart Mobile `com.advantage.RaiffeisenBank`
Rakuten Bank (楽楽天天銀銀行行) `jp.co.rakuten_bank.rakutenbank`
RBC Mobile `com.rbc.mobile.android`
Report `com.cajasiete.android.cajasietereport`
Rossmann PL `pl.com.rossmann.centauros`
ruralvía `com.rsi`
Santander `es.bancosantander.apps`
Santander Banking `de.santander.presentation`
Santander Empresas `es.bancosantander.empresas`
Santander mobile `pl.bzwbk.bzwbk24`
ScotiaMóvil `net.garagecoders.e_llavescotiainfo`
SCRIGNOapp `it.popso.SCRIGNOapp`
SecureApp netbank `de.adesso_mobile.secureapp.netbank`
ŞEKER MOBİL ŞUBE `tr.com.sekerbilisim.mbank`
Skrill `com.moneybookers.skrillpayments`
Smart Mobile Banking `it.gruppobper.ams.android.bper`
Snapchat `com.snapchat.android`
Sparkasse Ihre mobile Filiale `com.starfinanz.smob.android.sfinanzstatus`
St.George Mobile Banking `org.stgeorge.bank`
Sumishin SBI Net Bank (住住信信SBIネネッットト銀銀行行) `jp.co.netbk`
Suncorp Bank `au.com.suncorp.SuncorpBank`
SunTrust Mobile App `com.suntrust.mobilebanking`
TARGOBANK Mobile Banking `com.targo_prod.bad`
Telegram `org.telegram.messenger`
The International Bank (הבנק הבינלאומי ) `com.fibi.nativeapp`
Touch 24 Banking BCR `at.spardat.bcrmobile`
Triodos Bank `com.indra.itecban.triodosbank.mobile.banking`
Twitter `com.twitter.android`
U.S. Bank `com.usbank.mobilebanking`


-----

Uber `com.ubercab`
UBI Banca `it.nogood.container`
UnicajaMovil `es.univia.unicajamovil`
Union Bank (בנק אגוד) `com.unionBank.app`
Union Bank Mobile Banking `com.unionbank.ecommerce.mobile.android`
USAA Mobile `com.usaa.mobile.android.usaa`
Usługi Bankowe `alior.bankingapp.android`
VakıfBank Mobil Bankacılık `com.vakifbank.mobile`
Viber Messenger `com.viber.voip`
Volksbank house banking `at.volksbank.volksbankmobile`
VR Banking Classic `de.fiducia.smartphone.android.banking.vr`
WeChat `com.tencent.mm`
Wells Fargo Mobile `com.wf.wellsfargomobile`
Western Union ES `com.westernunion.moneytransferr3app.es`
WhatsApp Messenger `com.whatsapp`
Yahav Bank (בנק יהב) `il.co.yahav.mobbanking`
Yahoo Mail `com.yahoo.mobile.client.android.mail`
Yapı Kredi Mobile `com.ykb.android`
Yono Lite SBI `com.sbi.SBIFreedomPlus`
YouApp `com.lynxspa.bancopopolare`
Ziraat Mobile `com.ziraat.ziraatmobil`


-----