{ "id": "d6e37774-c79e-46e0-b372-861c80e7717d", "created_at": "2026-04-06T00:17:52.16447Z", "updated_at": "2026-04-10T03:37:08.83193Z", "deleted_at": null, "sha1_hash": "24bbe5315a0236f51eced9531b2ee623531d90e2", "title": "Resecurity | \"In The Box\" - Mobile Malware Webinjects Marketplace", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5657297, "plain_text": "Resecurity | \"In The Box\" - Mobile Malware Webinjects\r\nMarketplace\r\nPublished: 2022-11-25 · Archived: 2026-04-05 14:10:58 UTC\r\nWith the rapid growth of fraudulent activity in a post-pandemic world, the bad actors continue to upgrade their\r\ntooling to attack customers of major financial institutions (FIs), e-commerce platforms and online marketplaces.\r\nAccording to collected statistics in Q4 2022 during DFIR engagements conducted on Fortune 500 companies by\r\nResecurity®, cybercriminals are especially successful when attacking mobile apps and leveraging gained access\r\nfor further unauthorized access and financial theft. Unless FIs implement various technologies to combat fraud,\r\nthis vector remains relatively unprotected which provides threat actors enough flexibility to bypass fraud detection\r\nsystems by ultimately controlling the victim's mobile device. Once the mobile device of the victim has been\r\ncompromised, the bad actors can intercept OTP codes, incoming SMS messages, and phone calls to extract\r\nsensitive information including call history and contact lists. Besides other concerning types of threats such as\r\n\"SIM Swapping\" also widely used by fraudsters, mobile malware remains the key in a cybercriminals arsenal to\r\nconduct banking theft from consumers worldwide.\r\nThis research arranged by Resecurity® Hunter team is focused on the new marketplace called “InTheBox”,\r\nrecently emerged in the Dark Web and designed specifically for mobile malware operators. The first mentions of\r\n“InTheBox” were identified on reputable underground communities around January 2020 - since that time the key\r\nactor was offering webinjects development services for other cybercriminals privately, but after gaining enough\r\ncredibility the actor scaled it to a fully productized automated marketplace. The automation allows other bad\r\nactors to create orders to receive the most up to date webinject for further implementation into mobile malware.\r\nFor those using proprietary (or so called “private”), mobile malware is not widely available for sale or rent,\r\nbecause of this “InTheBox” is offering customized development solutions. As of today, the most widely malware\r\nfamilies supporting webinjects are - Alien, Cerberus, Ermac, Hydra, Octopus (aka “Octo”), Poison, and\r\nMetaDroid.\r\nThe marketplace is available in TOR network:\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 1 of 48\n\nAs an OPSEC measure, the administrator of the marketplace also requires vetting of new customers:\r\nAfter the successful account activation, the marketplace will offer listing of available webinjects for sale:\r\nIt is worth mentioning how almost all of them may be used for credential interception from any service the victim\r\nmay attempt to access while using their mobile device besides online-banking. The bad actor may then use the\r\ndata stolen from said devices for any malicious purposes. To facilitate successful credentials interception, the bad\r\nactors use a so called \"Webinjects\" - customized modules or packages used in malware that typically inject HTML\r\nor JavaScript code into content before it's rendered on a web browser. As a result, webinjects can alter what the\r\nuser sees on his/her browser, as opposed to what's in fact being sent by the server.\r\nTypically, malware developers design code to intercept victims credentials using such approach which in practice\r\nlooks completely invisible visually, as the webinject will interpret an identical design of legitimate pages from\r\npopular services. Technically, the success rate of banking theft depends on the quality of the webinject and\r\nstability of mobile malware. During past years, the market of mobile banking malware became extremely mature,\r\nand the majority of Dark Web actors stopped selling it, they switched to potentially renting, or to privately us it.\r\nExamples of webinjects:\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 2 of 48\n\nThere are multiple underground vendors developing webinjects - tracking the latest design and updates of\r\nlegitimate mobile apps makes their attacks extremely efficient. The price on webinjects is typically lower than\r\nmobile malware itself and varies between 50$ and 200$ per inject depending how popular the FI is. Typically, it\r\nalso includes basic support and possible customization in case the mobile app changes. The price range on mobile\r\nmalware varies and with the recent shift to rent and private operations, the inject may exceed 5,000$ per month or\r\nleveraged commission-based model with payouts from successful thefts shared between malware operator and\r\ndevelopers.\r\nJust recently “InTheBox” implemented a new tariff called “unlim” allowing cybercriminals to generate unlimited\r\nnumber of webinjects during the subscription period. Such model allows to minimize manual and human\r\ninteractions with the marketplace operators, simplifying malware customization processes.\r\nBased on the chosen plan other malware operators can create orders on the injects or customized development.\r\nTheir feedback and order status will be available via the portal:\r\nThe bad actor known as \"inthebox\" launched a new webinjects marketplace on the TOR network. The marketplace\r\nprovides different templates of webinjects for various mobile malware families which are used independently or in\r\ncombination to successful execute data theft:\r\nTemplate “Authorization data”\r\nTemplate “Ask only PIN”\r\nTemplate “With Credit Card data”\r\nTemplate “With Credit Card data + ATM PIN”\r\nTemplate “Ask Full Data”\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 3 of 48\n\nToday, “InTheBox” provides access to over 400 professionally developed webinjects categorized by geography\r\nand target:\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 4 of 48\n\nThe majority of high-demand injects is related to payment services including digital banking and cryptocurrency\r\nexchangers. During November 2022 the actor arranged a significant update of close to 144 injects improving their\r\nvisual design.\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 5 of 48\n\nPayment Systems List\r\nLuno:\r\nco.bitx.android.wallet\r\nBitfinex:\r\ncom.bitfinex.mobileapp\r\nBitPay - Buy Crypto:\r\ncom.bitpay.wallet\r\nBuy Bitcoin \u0026 Crypto Exchange:\r\ncom.changelly.app\r\nCoinbase: Buy Bitcoin \u0026 Ether:\r\ncom.coinbase.android\r\nLuno:\r\nco.bitx.android.wallet\r\nBitfinex:\r\ncom.bitfinex.mobileapp\r\nBitPay - Buy Crypto:\r\ncom.bitpay.wallet\r\nBuy Bitcoin \u0026 Crypto Exchange:\r\ncom.changelly.app\r\nCoinbase: Buy Bitcoin \u0026 Ether:\r\ncom.coinbase.android\r\nGemini: Buy Bitcoin \u0026 Crypto:\r\ncom.gemini.android.app\r\nHitBTC – Cryptocurrency Exchange \u0026 Trading BTC App:\r\ncom.hittechsexpertlimited.hitbtc\r\nHuobiWallet:\r\ncom.huobionchainwallet.gp\r\nKraken Pro: Advanced Bitcoin \u0026 Crypto Trading:\r\ncom.kraken.trade\r\nPayPal - Send, Shop, Manage:\r\ncom.paypal.android.p2pmobile\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 6 of 48\n\nWise, ex TransferWise:\r\ncom.transferwise.android\r\nBitstamp – Crypto on the go:\r\nnet.bitstamp.app\r\nElectrum Bitcoin Wallet:\r\norg.electrum.electrum\r\nBtcTurk | PRO Trade Bitcoin \u0026 Cryptocurrency:\r\ncom.btcturk.pro\r\nElectroneum:\r\ncom.electroneum.mobile\r\nEnjin: Bitcoin, Ethereum, NFT Crypto Wallet:\r\ncom.enjin.mobile.wallet\r\nKuCoin: BTC, Crypto exchange:\r\ncom.kubi.kucoin\r\nLumi Crypto Bitcoin Wallet:\r\ncom.lumiwallet.android\r\nBtcTurk | Bitcoin (BTC) Al Sat:\r\ncom.mobillium.btcturk\r\nMycelium Bitcoin Wallet:\r\ncom.mycelium.wallet\r\nOkcoin - Buy Bitcoin, Ethereum, Shiba Inu, Crypto:\r\ncom.okinc.okcoin.intl\r\nOKEx:Buy Bitcoin, NFTs \u0026 Meta:\r\ncom.okinc.okex.gp\r\nParibu | Bitcoin-Kripto Para Alım Satım:\r\ncom.paribu.app\r\nPoloniex Crypto Exchange:\r\ncom.plunien.poloniex\r\nSamourai Wallet (Early Access):\r\ncom.samourai.wallet\r\nTabTrader Buy Bitcoin and Ethereum on exchanges:\r\ncom.tabtrader.android\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 7 of 48\n\nContasimple - Invoices, estimates \u0026 delivery notes:\r\ncom.v2msoft.contasimple\r\nWaves.Exchange:\r\ncom.wavesplatform.wallet\r\nWazirX - Bitcoin, Crypto Trading Exchange India:\r\ncom.wrx.wazirx\r\nBitGlobal (formerly Bithumb Global):\r\nglobal.bithumb.android\r\nIndodax:\r\nid.co.bitcoin\r\nBitcoin Wallet by SpectroCoin:\r\nlt.spectrofinance.spectrocoin.android.wallet\r\nZonda - crypto exchange:\r\nnet.bitbay.bitcoin\r\nMetaMask - Buy, Send and Swap Crypto:\r\nio.metamask\r\nCrypto.com - Buy BTC, ETH:\r\nco.mona.android\r\nBinance: BTC NFTs Memes \u0026 Meta:\r\ncom.binance.dev\r\nTrust: Crypto \u0026 Bitcoin Wallet:\r\ncom.wallet.crypto.trustapp\r\nBlockchain.com Wallet: Buy BTC:\r\npiuk.blockchain.android\r\nCoinbase Wallet - Store Crypto:\r\norg.toshi\r\nBitcoin Wallet: buy BTC, BCH \u0026 ETH:\r\ncom.bitcoin.mwallet\r\nCash App:\r\ncom.squareup.cash\r\ne-Commerce List\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 8 of 48\n\nAutoScout24 Schweiz – Finden Sie Ihr neues Auto:\r\nch.autoscout24.autoscout24\r\nAmazon Seller:\r\ncom.amazon.sellermobile.android\r\nTide: Business Bank Account:\r\ncom.tideplatform.banking\r\nmobile.de - car market:\r\nde.mobile.android.app\r\nAmazon Shopping:\r\ncom.amazon.mShop.android.shopping\r\nSHEIN-Fashion Shopping Online:\r\ncom.zzkko\r\nnoon shopping:\r\ncom.noon.buyerapp\r\nAlibaba.com:\r\ncom.alibaba.intl.android.apps.poseidon\r\nLulu Shopping:\r\ncom.lulu.commerce\r\nSocial List\r\nInstagram:\r\ncom.instagram.android\r\nWhatsApp Messenger:\r\ncom.whatsapp\r\nFacebook:\r\ncom.facebook.katana\r\nTinder - Dating \u0026 Make Friends:\r\ncom.tinder\r\nZOOM Cloud Meetings:\r\nus.zoom.videomeetings\r\nFacebook Messenger:\r\ncom.facebook.orca\r\nDigital Media List\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 9 of 48\n\nNetflix:\r\ncom.netflix.mediaclient\r\nSpotify: Music and Podcasts:\r\ncom.spotify.music\r\nThe marketplace has also region-specific categories with a strong focus on the U.S. and U.K. businesses, online-services and financial institutions:\r\nUnited States List\r\nCiti Mobile®:\r\ncom.citi.citimobile\r\nE*TRADE:\r\nInvest. Trade. Save.:\r\ncom.etrade.mobilepro.activity\r\nInvoice Maker:\r\nEasy \u0026 Simple:\r\ncom.aadhk.woinvoice\r\nAirbnb:\r\ncom.airbnb.android\r\nAmex:\r\ncom.americanexpress.android.acctsvcs.us\r\nAOL - News, Mail \u0026 Video:\r\ncom.aol.mobile.aolapp\r\nmyAT\u0026T:\r\ncom.att.myWireless\r\nU by BB\u0026T:\r\ncom.bbt.myfi\r\nCitizens Bank Mobile Banking:\r\ncom.citizensbank.androidapp\r\nDiscover Mobile:\r\ncom.discoverfinancial.mobile\r\nBank of America Mobile Banking:\r\ncom.infonow.bofa\r\nKeyBank - Online \u0026 Mobile Banking:\r\ncom.key.android\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 10 of 48\n\nLinkedIn:\r\ncom.linkedin.android\r\nFirst Citizens Mobile Banking:\r\ncom.mcom.firstcitizens\r\nM\u0026T Mobile Banking:\r\ncom.mtb.mbanking.sc.retail.prod\r\nSchwab Mobile:\r\ncom.schwab.mobile\r\nTD Bank (US):\r\ncom.tdbank\r\nUBS Mobile Banking:\r\ncom.ubs.swidKXJ.android\r\nUSAA Mobile:\r\ncom.usaa.mobile.android.usaa\r\nWoodforest Mobile Banking:\r\ncom.woodforest\r\nSECU:\r\norg.ncsecu.mobile\r\nAlly Mobile:\r\nBanking \u0026 Investing:\r\ncom.ally.MobileBanking\r\nBMO Digital Banking:\r\ncom.bmoharris.digital\r\nBooking.com:\r\nHotels and more:\r\ncom.booking\r\nBank of the West Mobile:\r\ncom.botw.mobilebanking\r\nChase Mobile:\r\ncom.chase.sig.android\r\nFifth Third Mobile Banking:\r\ncom.clairmail.fth\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 11 of 48\n\nCompass Savings Bank:\r\ncom.compasssavingsbank.mobile\r\nCapital One Mobile:\r\ncom.konylabs.capitalone\r\nMorgan Stanley Wealth Mgmt:\r\ncom.morganstanley.clientmobile.prod\r\nNavy Federal Credit Union:\r\ncom.navyfederal.android\r\nPNC Mobile:\r\ncom.pnc.ecommerce.mobile\r\nSunTrust Mobile App:\r\ncom.suntrust.mobilebanking\r\nWells Fargo Mobile:\r\ncom.wf.wellsfargomobile\r\nZelle:\r\ncom.zellepay.zelle\r\nRobinhood:\r\nStocks \u0026 Crypto:\r\ncom.robinhood.android\r\neToro:\r\ncom.etoro.openbook\r\nI am Verizon:\r\ncom.dynamicsignal.enterprise.iamvz\r\nOne Talk Side View:\r\ncom.verizon.sideview\r\nOne Talk:\r\ncom.verizon.onetalk\r\nVerizon Messages:\r\ncom.verizon.messaging.vzmsgs\r\nVerizon ID:\r\ncom.verizon.verizonidauth\r\nInside Verizon:\r\ncom.verizon.insideverizon\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 12 of 48\n\nVerizon Smart Family:\r\ncom.verizon.familybase.parent\r\nmyMetro:\r\ncom.nuance.nmc.sihome.metropcs\r\nTruist Mobile:\r\ncom.truist.mobile\r\nRegions Bank:\r\ncom.regions.mobbanking\r\nHuntington Mobile:\r\ncom.huntington.m\r\nU.S. Bank Mobile:\r\nBank and Invest:\r\ncom.usbank.mobilebanking\r\nSantander Bank US:\r\ncom.sovereign.santander\r\nFirst Horizon Events:\r\ncom.aventri.firsthorizonbank300005742\r\nFNB Direct:\r\ncom.FNBPA.mobilebanking\r\nBancorpSouth Mobile:\r\ncom.bancorpsouth.android\r\nFound — Banking \u0026 Taxes:\r\napp.indie.my\r\nMOVO ON-DEMAND MOBILE BANKING:\r\ncom.movocash.movo\r\nMoneyLion:\r\nBank \u0026 Finance App:\r\ncom.moneylion\r\nAlbert:\r\nBanking on you:\r\ncom.meetalbert\r\nDave - Banking \u0026 Cash Advance:\r\ncom.dave\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 13 of 48\n\nDouugh:\r\ncom.douugh.douughapp\r\nCurrent:\r\nThe Future of Banking:\r\ncom.current.app\r\nUnited Kingdom List\r\nLloyds Bank Mobile Banking:\r\ncom.grppl.android.shell.CMBlloydsTSB73\r\nHalifax Mobile Banking:\r\ncom.grppl.android.shell.halifax\r\nBank of Scotland Mobile Banking:\r\ncom.grppl.android.shell.BOS\r\nNationwide Banking App:\r\nco.uk.Nationwide.Mobile\r\nThe Co-operative Bank:\r\ncom.cooperativebank.bank\r\npermanent tsb:\r\ncom.nearform.ptsb\r\nHSBC UK Mobile Banking:\r\nuk.co.hsbc.hsbcukmobilebanking\r\nSantander Mobile Banking:\r\nuk.co.santander.santanderUK\r\nTSB Mobile Banking:\r\nuk.co.tsb.newmobilebank\r\nBarclays US Credit Cards:\r\ncom.barclaycardus\r\nNatWest Mobile Banking:\r\ncom.rbs.mobile.android.natwest\r\nRoyal Bank of Scotland:\r\ncom.rbs.mobile.android.rbs\r\nTSB Bank Mobile Banking:\r\ntsb.mobilebanking\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 14 of 48\n\nMBNA Card Services App:\r\nuk.co.mbna.cardservices.android\r\nMetro Bank:\r\nuk.co.metrobankonline.mobile.android.production\r\nTesco Mobile:\r\nuk.co.tescomobile.android\r\nCapital One UK:\r\ncom.ie.capitalone.uk\r\nRevolut:\r\ncom.revolut.revolut\r\nDeliveroo:\r\nFood Delivery:\r\ncom.deliveroo.orderapp\r\nMonzo - Mobile Banking:\r\nco.uk.getmondo\r\nRevolut Business:\r\ncom.revolut.business\r\nCashplus Bank - business \u0026 per:\r\nco.uk.mycashplus.maapp\r\nANNA Business Account \u0026 Tax:\r\ncom.anna.money.app\r\nChase UK:\r\ncom.chase.intl\r\nCoutts:\r\ncom.coutts.model.prod.tadpole\r\nC. Hoare \u0026 Co.:\r\ncom.mobile.CHoareCo\r\nNexo:\r\nкупи BTC, ETH, SOL, AVAX:\r\ncom.nexowallet\r\nCoutts Mobile:\r\ncom.rbs.mobile.android.coutts\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 15 of 48\n\nSoldo:\r\ncom.soldo.business.next\r\nPleo:\r\nio.pleo.android\r\nAmex United Kingdom:\r\ncom.americanexpress.android.acctsvcs.uk\r\nProton Mail:\r\nEncrypted Email:\r\nch.protonmail.android\r\nBT Email:\r\ncom.bt.mail.btprod\r\nSumUp:\r\ncom.kaching.merchant\r\nLloyds Bank Business:\r\ncom.lloydsbank.businessmobile\r\nBusiness Banking:\r\nuk.co.santander.businessUK.bb\r\nBesides the U.S. and the U.K. as 2 major geographies to target consumers, “InTheBox” provides webinjects for\r\nonline-services and financial institutions from over 28 countries including Andorra, Argentina, Austria, Australia,\r\nBelgium, Brazil, Canada, Chile, Colombia, Germany, Denmark, Spain, France, Georgia, Greece, Hungary, Italy,\r\nJapan, Mexico, Malaysia, Nigeria, Peru, Poland, Portugal, Qatar, Romania, Turkey, United Arab Emirates and\r\nSaudi Arabia.\r\nThe full list of other injects for sale porovided below:\r\nAndorra List\r\nAndbank:\r\nair.com.inversis.AndbankSmartphone\r\nMoraBanc:\r\ncom.morabanc.mobileapp\r\nCrèdit Andorrà:\r\ncom.creditandorra\r\nBSA Mòbil:\r\ncom.everis.bsa_1_3\r\nUAE List\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 16 of 48\n\nBurgan Bank:\r\ncom.a2a.android.burgan\r\nSNB AlAhli Mobile:\r\ncom.alahli.mobile.android\r\nalrajhi bank:\r\ncom.alrajhiretailapp\r\nRiyadBank Mobile:\r\ncom.riyadbank.strategic\r\nCBD - Instant digital banking:\r\ncom.cbd.mobile\r\nADCB:\r\ncom.adcb.bank\r\nAjman Bank:\r\ncom.mbanking.ajmanbank\r\nAl Hilal Mobile Banking App:\r\ncom.infosys.alh\r\nMBank UAE:\r\ncom.mbankuae.amcb\r\nAl Masraf:\r\nae.almasraf.mobileapp\r\neBOS Mobile:\r\ncom.ebos.bos\r\nCBQ Mobile:\r\ncom.cbq.CBMobile\r\nDIB MOBILE:\r\ncom.dib.app\r\nFAB Mobile:\r\ncom.fab.personalbanking\r\nFinance House App:\r\ncom.fh.payday\r\nNBQBANK:\r\ncom.NBQBank\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 17 of 48\n\nRAKBANK Digital Banking:\r\ncom.rak\r\nSC Mobile Banking (UAE):\r\ncom.scb.ae.bmw\r\nSIB Digital:\r\ncom.sib.retail\r\nUnited Arab Bank Mobile:\r\ncom.uab.personal\r\nNBF Direct App:\r\ncom.vipera.nbf\r\nMashreq UAE:\r\ncom.vipera.ts.starter.MashreqAE\r\nEmirates NBD:\r\nenbd.mobilebanking\r\nEI Bank:\r\ncom.s4m\r\nAl Hilal Digital:\r\nae.ahb.digital\r\nC3Pay:\r\ncom.myc3card.app\r\nADIB Mobile Banking App:\r\ncom.adib.mobile\r\nMashreq Neo - Bank easy:\r\ncom.mashreq.NeoApp\r\nADCB Hayyak:\r\nStart your banking relationship now!:\r\ncom.adcb.cbgdigi\r\nLiv. - Digital Lifestyle Bank:\r\ncom.liv.android\r\nENBD X:\r\ncom.emiratesnbd.android\r\nYAP – Your Digital Banking App:\r\ncom.yap.banking\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 18 of 48\n\nAAIB Mobile:\r\ncom.aaib\r\nArabi-Mobile:\r\ncom.arabbank.arabimobilev2\r\nDubai First:\r\ncom.bankfab.pbg.ae.dubaifirst\r\nHSBC UAE:\r\nae.hsbc.hsbcuae\r\neWalletAE:\r\ncom.etisalat.ewallet\r\nAlfa by Bank Alfalah:\r\ncom.base.bankalfalah\r\nCitibank UAE:\r\ncom.citibank.mobile.citiuaePAT\r\nKFC UAE (United Arab Emirates):\r\ncom.kfc.me\r\nSnoonu - Fastest Delivery:\r\ncom.oryx.snoonu\r\nNamshi - Shop Fashion \u0026 Beauty:\r\ncom.namshi.android\r\nMAF Carrefour Online Shopping:\r\ncom.aswat.carrefouruae\r\n:OpenSooq - السوق المفتوح\r\ncom.opensooq.OpenSooq\r\nShail:\r\nde.hafas.android.dimp\r\n:فورديل سوق االنرتنت - Fordeal\r\ncom.fordeal.android\r\nPizzaHut UAE:\r\ncom.pizzahutapp\r\nSimplylife from ADCB:\r\ncom.adcb.simplylife\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 19 of 48\n\nArgentina List\r\nSantander Argentina:\r\nar.com.santander.rio.mbanking\r\nPatagonia Móvil:\r\nar.com.bcopatagonia.android\r\nCredicoop Móvil:\r\ncoop.bancocredicoop.bancamobile\r\nBanca Móvil Ciudad:\r\nar.com.redlink.custom\r\nMacro:\r\nar.macro\r\nBip Móvil:\r\nar.bapro\r\nAustria List\r\nBank Austria MobileBanking:\r\ncom.bankaustria.android.olb\r\neasybank App:\r\ncom.easybank.easybank\r\nGeorge Österreich:\r\nat.erstebank.george\r\nbank99:\r\nat.ing.diba.client.onlinebanking\r\nMein ELBA-App:\r\nat.rsg.pfp\r\nBAWAG PSK klar – Mobile Banking App:\r\ncom.bawagpsk.bawagpsk\r\nHYPO Mein ELBA-App:\r\ncom.isis_papyrus.hypo_pay_eyewdg\r\nVolksbank hausbanking:\r\nat.volksbank.volksbankmobile\r\nmeine99 | Online Banking:\r\nat.bank99.meine.meine\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 20 of 48\n\nS-pushTAN für Smartphone und Tablet:\r\ncom.starfinanz.mobile.android.pushtan\r\nDigital Banking App:\r\nat.aerztebank.aerztebankmobile\r\nAnadi Internetbanking:\r\nat.anadi.mobilebanking\r\nAustralia List\r\nMy AMP:\r\nau.com.amp.myportfolio.android\r\nBankwest:\r\nau.com.bankwest.mobile\r\nCommBiz:\r\nau.com.commbank.commbiz.prod\r\nGreat Southern Bank Australia:\r\nau.com.cua.mb\r\nHSBC Australia:\r\nau.com.hsbc.hsbcaustralia\r\nMacquarie Mobile Banking:\r\nau.com.macquarie.banking\r\nME Bank:\r\nau.com.mebank.banking\r\nNAB Mobile Banking:\r\nau.com.nab.mobile\r\nNPBS Mobile Banking:\r\nau.com.newcastlepermanent\r\nmyRAMS:\r\nau.com.rams.RAMS\r\nSuncorp Secured:\r\nau.com.suncorp.rsa.suncorpsecured\r\nUBank:\r\nau.com.ubank.internetbanking\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 21 of 48\n\nVirgin Money Credit Card:\r\ncom.virginmoney.cards\r\nBank of Melbourne Business App:\r\norg.banking.bom.businessconnect\r\nBankSA Business App:\r\norg.banking.bsa.businessconnect\r\nSt.George Business App:\r\norg.banking.stg.businessconnect\r\nBankSA Mobile Banking:\r\norg.banksa.bank\r\nBank of Melbourne Mobile Banking:\r\norg.bom.bank\r\nSt.George Mobile Banking:\r\norg.stgeorge.bank\r\nWestpac:\r\norg.westpac.bank\r\nWestpac Corporate Mobile:\r\norg.westpac.col\r\nZip - Shop Now, Pay Later:\r\nco.zip\r\nBOQ Mobile:\r\ncom.bankofqueensland.boq\r\nBendigo Bank:\r\ncom.bendigobank.mobile\r\nCommBank:\r\ncom.commbank.netbank\r\nBank Australia app:\r\ncom.fusion.banking\r\nBeyond Bank Australia:\r\ncom.fusion.beyondbank\r\nBeyond Bank Australia:\r\ncom.greater.Greater\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 22 of 48\n\nHSBCnet Mobile:\r\ncom.hsbc.hsbcnet\r\nBelgium List\r\nING Banking:\r\ncom.ing.banking\r\nArgenta Bankieren:\r\nbe.argenta.bankieren\r\nMobile Banking Service:\r\nbe.axa.mobilebanking\r\nBelfius Mobile:\r\nbe.belfius.directmobile.android\r\nBeobank Mobile:\r\ncom.beobank_prod.bad\r\nEasy Banking App:\r\ncom.bnpp.easybanking\r\nKBC Mobile:\r\ncom.kbc.mobile.android.phone.kbc\r\nCanada List\r\nBanco next:\r\nConta e Cartão:\r\nbr.com.bradesco.next\r\nInter:\r\nPix, Cartão e Conta:\r\nbr.com.intermedium\r\nbanco digital modalmais - conta e corretora online:\r\nbr.com.modalmais\r\nOriginal - Pix, Digital, Cashback e Empréstimos:\r\nbr.com.original.bank\r\nPagBank:\r\nBanco, Conta digital, Cartão, Pix, CDB:\r\nbr.com.uol.ps.myaccount\r\nBanco Bradesco:\r\ncom.bradesco\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 23 of 48\n\nBanco Itaú:\r\ncom.itau\r\nDigital Media List\r\nNational Bank of Canada:\r\nca.bnc.android\r\nHSBC Canada:\r\nca.hsbc.hsbccanada\r\nManulife Mobile:\r\nca.manulife.MobileGBRS\r\nPC Financial Mobile:\r\nca.pcfinancial.bank\r\nTangerine Mobile Banking:\r\nca.tangerine.clients.banking.app\r\nCIBC Mobile Banking®:\r\ncom.cibc.android.mobi\r\nServices mobiles Desjardins:\r\ncom.desjardins.mobile\r\nRBC Mobile:\r\ncom.rbc.mobile.android\r\nTD Canada:\r\ncom.td\r\nAffinity Mobile:\r\nca.affinitycu.mobile\r\nmotusbank mobile banking:\r\nca.motusbank.mapp\r\nServus Mobile Banking:\r\nca.servus.mbanking\r\nATB Personal - Mobile Banking:\r\ncom.atb.ATBMobile\r\nATB Business - Mobile Banking:\r\ncom.atb.businessmobile\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 24 of 48\n\nCoast Capital Savings:\r\ncom.coastcapitalsavings.dcu\r\nEQ Bank Mobile Banking:\r\ncom.eqbank.eqbank\r\nMeridian Mobile Banking:\r\ncom.meridian.android\r\nSimplii Financial:\r\ncom.pcfinancial.mobile\r\nVancity:\r\ncom.vancity.mobileapp\r\nScotiabank Mobile Banking:\r\ncom.scotiabank.banking\r\nBMO Mobile Banking:\r\ncom.bmo.mobile\r\nCapital One Canada:\r\nca.capitalone.enterprisemobilebanking\r\nIndeed Job Search:\r\ncom.indeed.android.jobsearch\r\ncom.eqbank.eqbank (NEW)\r\ncom.shaketh (NEW)\r\nca.hsbc.hsbccanada (NEW)\r\nca.manulife.MobileGBRS (NEW)\r\ncom.meridian.android (NEW)\r\naffinitycu.mobile (NEW)\r\ncom.atb.ATBMobile (NEW)\r\ncom.atb.businessmobile (NEW)\r\nChile List\r\nBanco Falabella | CMR:\r\ncl.android\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 25 of 48\n\nMercado Libre: Compras Navidad:\r\ncom.mercadolibre\r\nMercado Pago: cuenta digital:\r\ncom.mercadopago.wallet\r\nColombia List\r\nBanco de Bogotá:\r\ncom.bancodebogota.bancamovil\r\nBanco de Occidente Móvil:\r\ncom.grupoavaloc1.bancamovil\r\nDavivienda Móvil:\r\ncom.todo1.davivienda.mobileapp\r\nBancolombia Personas:\r\ncom.todo1.mobile\r\nScotiabank Colpatria:\r\neu.netinfo.colpatria.system\r\nBBVA Colombia:\r\nco.com.bbva.mb\r\nBanco Agrario App:\r\nco.com.bancoagrario.icbanking\r\nBanco Falabella Colombia:\r\nco.com.bancofalabella.mobile.omc\r\nBanca Móvil BAC Credomatic:\r\nnet.bac.sbe.android\r\nGermany List\r\nLa Mia Banca:\r\ncom.db.pbc.miabanca\r\nSparkasse Ihre mobile Filiale:\r\ncom.starfinanz.smob.android.sfinanzstatus\r\nCommerzbank Banking - Die App an Ihrer Seite:\r\nde.commerzbanking.mobil\r\nVR Banking Classic:\r\nde.fiducia.smartphone.android.banking.vr\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 26 of 48\n\nING Banking to go:\r\nde.ingdiba.bankingapp\r\nSantander Banking:\r\nde.santander.presentation\r\ntraktorpool:\r\nde.traktorpool\r\ncomdirect:\r\nde.comdirect.app\r\nN26 — The Mobile Bank:\r\nde.number26.android\r\nPostbank Finanzassistent:\r\nde.postbank.finanzassistent\r\nSpardaSecureApp:\r\nde.sdvrz.ihb.mobile.secureapp.sparda.produktion\r\nHVB Mobile Banking:\r\neu.unicreditgroup.hvbapptan\r\nSpardaApp:\r\nde.sdvrz.ihb.mobile.app\r\nSparda Berlin:\r\nde.spardab.banking.privat\r\nPostbank BestSign:\r\nde.postbank.bestsign\r\nConsorsbank:\r\nde.consorsbank\r\nVolksbank · Banca Popolare:\r\nit.volksbank.android\r\nDenmark List\r\nMobilbank DK – Danske Bank:\r\ncom.danskebank.mobilebank3.dk\r\nNordea Mobile - Danmark:\r\ndk.nordea.mobilebank\r\nSpain List\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 27 of 48\n\nBBVA España | Banca Online:\r\ncom.bbva.bbvacontigo\r\nCaja de Ingenieros Banca MÓVIL:\r\ncom.cajaingenieros.android.bancamovil\r\nCajasur:\r\ncom.cajasur.android\r\nBanco Mediolanum España:\r\ncom.mediolanum\r\nTomamos impulso - TARGOBANK I AGRUPACIÓ I ATLANTIS:\r\ncom.targoes_prod.bad\r\nABANCA - Banca Móvil:\r\nes.caixagalicia.activamovil\r\nCaixa Ontinyent:\r\nes.caixaontinyent.caixaontinyentapp\r\nIbercaja:\r\nes.ibercaja.ibercajaapp\r\nPibank:\r\nes.pibank.customers\r\nBanco Caja Social Móvil:\r\ncom.bancocajasocial.geolocation\r\nimagin – Más que una app para gestionar tu dinero:\r\ncom.imaginbank.app\r\nBankinter Móvil:\r\ncom.bankinter.launcher\r\nBBVA Empresas | ES \u0026 PT:\r\ncom.bbva.netcash\r\nGrupo Cajamar:\r\ncom.grupocajamar.wefferent\r\nGo ABANCA:\r\ncom.indra.itecban.mobile.novobanco\r\nTriodos Bank. Banca Móvil:\r\ncom.indra.itecban.triodosbank.mobile.banking\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 28 of 48\n\nKutxabank:\r\ncom.kutxabank.android\r\nColonya Caixa Pollença:\r\ncom.rsi.Colonya\r\nruralvia:\r\ncom.rsi\r\nBanca Móvil Laboral Kutxa:\r\ncom.tecnocom.cajalaboral\r\nSantander:\r\nes.bancosantander.apps\r\nSantander Empresas:\r\nes.bancosantander.empresas\r\nUniPay Unicaja:\r\nes.cecabank.ealia2103appstore\r\nEVO Banco móvil:\r\nes.evobanco.bancamovil\r\nbank – banca móvil:\r\nes.openbank.mobile\r\nCriptocalculadora:\r\nes.santander.Criptocalculadora\r\nUnicaja Banco:\r\nes.unicajabanco.app\r\nAV Villas App:\r\ncom.grupoavalav1.bancamovil\r\nOrange Bank - Banco Móvil:\r\nes.orangebank.app\r\nBanco Sabadell App. Your mobile bank:\r\nnet.inverline.bancosabadell.officelocator.android\r\nCaixaBankNow:\r\nes.lacaixa.mobile.android.newwapicon\r\nING España. Banca Móvil:\r\nwww.ingdirect.nativeframe\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 29 of 48\n\nTarjeta prepago de correos:\r\ncom.correosprepago\r\nCarrefour PASS Móvil:\r\ncom.carrefour.carrefourPass\r\nEl Corte Inglés:\r\ncom.elcorteingles.app\r\nTarjeta El Corte Inglés:\r\ncom.feci.apps\r\nFrance List\r\nBoursorama Banque:\r\ncom.boursorama.android.clients\r\nBanxo:\r\ncom.caisseepargne.android.mobilebanking\r\nCIC:\r\ncom.cic_prod.bad\r\nCrédit Mutuel:\r\ncom.cm_prod.bad\r\nLa Banque Postale:\r\ncom.fullsix.android.labanquepostale.accountaccess\r\nLAppli Société Générale:\r\nmobi.societegenerale.mobile.lappli\r\nAXA Banque France:\r\ncom.axabanque.fr\r\nCrédit Coopératif:\r\ncom.credit_coop.android.mobilebanking\r\nMon Epargne Salariale:\r\ncom.mootwin.natixis\r\nCrédit du Nord pour Mobile:\r\ncom.ocito.cdn.activity.creditdunord\r\nHello bank! par BNP Paribas:\r\nfr.bnpp.digitalbanking\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 30 of 48\n\nMa Banque Entreprise:\r\nfr.bnpparibasentreprise.android\r\nBRED:\r\nfr.bred.fr\r\nMa Banque:\r\nfr.creditagricole.androidapp\r\nHSBC France:\r\nfr.hsbc.hsbcfrance\r\nMes Comptes - LCL:\r\nfr.lcl.android.customerarea\r\nPro \u0026 Entreprises LCL:\r\nfr.lcl.android.entreprise\r\nMes Comptes BNP Paribas:\r\nnet.bnpparibas.mescomptes\r\nBanque Laydernier - Mobile:\r\ncom.ocito.cdn.activity.banquelaydernier\r\nCaf - Mon Compte:\r\nfr.cnaf.mobile.moncompte\r\nCMB ma banque :\r\nsolde, virement \u0026 épargne:\r\ncom.arkea.android.application.cmb\r\nBanque Populaire:\r\nfr.banquepopulaire.cyberplus\r\nBforBank :\r\nla banque en ligne:\r\ncom.bforbank.androidapp\r\nFortuneo, banque \u0026 bourse:\r\ncom.fortuneo.android\r\nMonabanq:\r\ncom.mona_prod.bad\r\nShine - Compte pro en ligne:\r\ncom.shine.app\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 31 of 48\n\nQonto • Business Finance App:\r\neu.qonto.qonto\r\nNickel - Compte pour tous:\r\ncom.fpe.comptenickel\r\nGeorgia List\r\nCartu Bank Mobile:\r\ncom.mobius.mobilebank.cartu\r\nProCredit Bank myDirect:\r\ncom.pcb.mydirect\r\nBOG mBank - Mobile Banking:\r\nge.bog.mobilebank\r\nLiberty:\r\nge.lb.mobilebank\r\nBasisBank:\r\nge.mobility.basisbank\r\neMoney:\r\nge.mobility.emoney\r\nTerabank mBank - Mobile Banking:\r\nmobility.ge.terabank\r\nGreece List\r\nEurobank Mobile App:\r\ncom.EurobankEFG\r\nmyAlpha Mobile:\r\ncom.mobileloft.alpha.droid\r\nAstroBank Mobile Banking:\r\ngr.winbank.mobile.cyprus\r\nAttica Mobile:\r\neu.afse.omnia.attica\r\nNBG Mobile Banking:\r\nmbanking.NBG\r\nWinbank Mobile:\r\ngr.winbank.mobilenext\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 32 of 48\n\nHungary List\r\nOTP SmartBank:\r\ncom.aff.otpdirekt\r\nmyRaiffeisen mobile app:\r\ncom.rbinternational.retail.mobileapp\r\nUniCredit mBanking:\r\nhr.asseco.android.jimba.mUCI.hu\r\nBudapest Bank Mobil App:\r\nhu.bb.mobilapp\r\nCIB Business Online:\r\nhu.cardinal.cib.mobilapp\r\nErste Business MobilBank:\r\nhu.cardinal.erste.mobilapp\r\nK\u0026H mobilbank:\r\nhu.khb\r\nMKB Mobilalkalmazás:\r\nhu.mkb.mobilapp\r\nOTP Bank HU:\r\nhu.otpbank.mobile\r\nGeorge Magyarország:\r\npegasus.project.ebh.mobile.android.bundle.mobilebank\r\nVÚB Mobile Banking:\r\nsk.vub.mobile\r\ncom.aff.otpdirekt\r\ncom.rbinternational.retail.mobileapp\r\nhr.asseco.android.intesa.isbd.cib\r\nhr.asseco.android.jimba.mUCI.hu\r\nhu.bb.mobilapp\r\nhu.cardinal.cib.mobilapp\r\nhu.cardinal.erste.mobilapp\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 33 of 48\n\nhu.khb\r\nhu.mkb.mobilapp\r\nhu.otpbank.mobile\r\npegasus.project.ebh.mobile.android.bundle.mobilebank\r\nIndia List\r\nCent Mobile:\r\ncom.infrasofttech.CentralBank\r\nMaha Mobile:\r\ncom.infrasofttech.MahaBank\r\nDhanlaxmi Bank Mobile Banking:\r\ncom.dhanlaxmi.dhansmart.mtc\r\nKotak - 811 \u0026 Mobile Banking:\r\ncom.msf.kbank.mobile\r\nYono Business:\r\ncom.sbi.SBAnywhereCorporate\r\nHDFC Bank MobileBanking App:\r\ncom.snapwork.hdfc\r\nPNB ONE:\r\ncom.Version1\r\niMobile Pay by ICICI Bank:\r\ncom.csam.icici.bank.imobile\r\nPaytm:\r\nSecure UPI Payments:\r\nnet.one97.paytm\r\nFinShell Pay:\r\ncom.finshell.fin\r\nIPPB Mobile Banking:\r\ncom.iexceed.appzillon.ippbMB\r\nSBI Card:\r\ncom.ge.capital.konysbiapp\r\nBajaj Finserv Wallet:\r\ncom.mobikwik_new.bajajfinserv\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 34 of 48\n\nRBL MyCard:\r\ncom.rbl.rblmycard\r\nFederal Bank - FedMobile:\r\ncom.fedmobile\r\nIDFC FIRST Bank:\r\nMobileBanking:\r\ncom.idfcfirstbank.optimus\r\nItaly List\r\nBancoPosta:\r\nposteitaliane.posteapp.appbpol\r\nYouApp:\r\ncom.lynxspa.bancopopolare\r\nBNL:\r\nit.bnl.apps.banking\r\nCarige Mobile:\r\nit.carige\r\nUBI Banca:\r\nit.nogood.container\r\nSCRIGNOapp:\r\nit.popso.SCRIGNOapp\r\nPostepay:\r\nposteitaliane.posteapp.apppostepay\r\nIntesa Sanpaolo Mobile:\r\ncom.latuabancaperandroid\r\nSella:\r\ncom.sella.BancaSella\r\nmyCartaBCC:\r\nit.bcc.iccrea.mycartabcc\r\nBanca MPS:\r\nit.copergmps.rt.pf.android.sp.bmps\r\nBancaperta:\r\nit.creval.bancaperta\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 35 of 48\n\nMobile Banking UniCredit:\r\ncom.unicredit\r\nCheBanca!:\r\ncom.vipera.chebanca\r\nNexi Pay:\r\nit.icbpi.mobile\r\nHype:\r\nit.hype.app\r\nMediolanum:\r\ncom.mediolanum.android.fullbanca\r\nMexico List\r\nSuperMóvil:\r\nmx.bancosantander.supermovil\r\nBi en Línea:\r\ngt.com.bi.bienlinea\r\nBanorte Móvil:\r\norg.microemu.android.model.common.VTUserApplicationBNRTMB\r\nBanca Mifel:\r\ncom.mifel.mobile.activity\r\nBajionet Móvil Empresarial:\r\nmx.com.bb.b2\r\nBanco Sabadell Méx. Tu Ahorro:\r\nmx.bancsabadell.part\r\nBBVA México:\r\ncom.bancomer.mbanking\r\nScotiaMóvil MX:\r\ncom.scotiabankmx.scotiamovil\r\nHSBC México:\r\nmx.hsbc.hsbcmexico\r\nBBVA Empresas México:\r\ncom.bbva.GEMA\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 36 of 48\n\nBajionet Móvil:\r\norg.microemu.android.model.common.VTUserApplicationBNBJMB\r\nMalaysia List\r\nSC Mobile Malaysia:\r\nair.app.scb.breeze.android.main.my.prod\r\nAmOnline:\r\ncom.ambank.ambankonline\r\nCIMB Clicks Malaysia:\r\ncom.cimbmalaysia\r\nCitibank MY:\r\ncom.citibank.CitibankMY\r\nPB engage MY:\r\ncom.engage.pbb.pbengage2my.release\r\nHSBC Malaysia:\r\nmy.com.hsbc.hsbcmalaysia\r\nMaybank2u MY:\r\nmy.com.maybank2u.m2umobile\r\nallianceonline Mobile:\r\ncom.alliance.AOPMobileApp\r\nalrajhi@24seven Malaysia:\r\ncom.alrajhibank.mobile\r\nBSNeBiz Mobile- Corporate User:\r\ncom.bsnebiz.cdb\r\nAGRONet Mobile:\r\ncom.cedarplus.agro\r\nGO by Bank Islam:\r\ncom.iexceed.CBS\r\nMBSB Bank Mobile Banking:\r\ncom.MBSB.Bank.Mobile.Banking\r\nOCBC Malaysia Mobile Banking:\r\ncom.ocbc.mobilemy\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 37 of 48\n\nRHB Mobile Banking:\r\ncom.rhbgroup.rhbmobilebanking\r\nHLB Connect Mobile Banking App:\r\nmy.com.hongleongconnect.mobileconnect\r\nNigeria List\r\nFirstMobile:\r\ncom.firstbank.firstmobile\r\nAccess Bank plc:\r\ncom.accessbank.accessbankapp\r\nEcobank Mobile App:\r\ncom.app.ecobank\r\nUBA Mobile Banking:\r\ncom.uba.vericash\r\nUnion Bank Mobile Banking:\r\ncom.unionbank.ecommerce.mobile.android\r\nGTBank:\r\ncom.vanso.gtbankapp\r\nZenith Bank Mobile App:\r\ncom.zenithBank.eazymoney\r\nNederlands List\r\nING Bankieren:\r\ncom.ing.mobile\r\nABN AMRO:\r\ncom.abnamro.nl.mobile.payments\r\nICS Creditcard:\r\ncom.ics.nl.icscards\r\nNew Zealand List\r\nASB Mobile Banking:\r\nnz.co.asb.asbmobile\r\nKiwibank Mobile Banking:\r\nnz.co.kiwibank.mobile\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 38 of 48\n\nRabobank NZ:\r\ncom.rabobank.android.prod.nz\r\nSBS Bank Mobile:\r\nnz.co.sbsbank.mobile\r\nWestpac One (NZ) Mobile Banking:\r\nnz.co.westpac\r\nPeru List\r\nBBVA Perú:\r\ncom.bbva.nxt_peru\r\nBanca Móvil BCP:\r\ncom.bcp.bank.bcp\r\nBanco Santander Perú S.A.:\r\ncom.zoluxiones.officebanking\r\nInterbank APP:\r\npe.com.interbank.mobilebanking\r\nScotiabank Perú:\r\npe.com.scotiabank.blpm.android.client\r\nAPP Banco Pichincha Perú:\r\npe.pichincha.bm\r\nPoland List\r\nBNP Paribas GOmobile:\r\ncom.finanteq.finance.bgz\r\nCA24 Mobile:\r\ncom.finanteq.finance.ca\r\nGetin Mobile:\r\ncom.getingroup.mobilebanking\r\nplusbank24:\r\neu.eleader.mobilebanking.invest\r\nFakturownia.pl:\r\npl.fakturownia\r\nIFIRMA - Darmowy Program do Faktur:\r\npl.ifirma.ifirmafaktury\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 39 of 48\n\nMoje ING mobile:\r\npl.ing.mojeing\r\nmBank PL:\r\npl.mbank\r\nBPS Mobilnie:\r\npl.bps.bankowoscmobilna\r\nCitiManager – Commercial Cards:\r\ncom.citi.mobile.ccc\r\nIKO:\r\npl.pkobp.iko\r\nPeoPay:\r\nsoftax.pekao.powerpay\r\nBank Millennium:\r\nwit.android.bcpBankingApp.millenniumPL\r\nSantander mobile:\r\npl.bzwbk.bzwbk24\r\nAlior Mobile:\r\npl.aliorbank.aib\r\nNest Bank:\r\npl.nestbank.nestbank\r\nPortugal List\r\nCaixadirecta:\r\ncgd.pt.caixadirectaparticulares\r\nBanco BIC, SA:\r\ncom.exictos.mbanka.bic\r\nMY ATLANTICO:\r\neu.atlantico.bancoatlanticoapp\r\nBanca Móvil:\r\ncom.baninter\r\nBBVA Portugal:\r\ncom.bbva.mobile.pt\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 40 of 48\n\nSantander Particulares:\r\npt.santandertotta.mobileparticulares\r\nActivoBank:\r\nwit.android.bcpBankingApp.activoBank\r\nBanco CTT:\r\npt.bctt.appbctt\r\nCA Mobile:\r\nca.mobile.explorer\r\nNB smart app:\r\npt.novobanco.nbapp\r\nCaixadirecta Empresas:\r\npt.cgd.caixadirectaempresas\r\nMillenniumbcp:\r\nwit.android.bcpBankingApp.millennium\r\nBPI APP:\r\npt.bancobpi.mobile.fiabilizacao\r\nBest Bank:\r\npt.bancobest.android.mobilebanking\r\nSantander Empresas Portugal:\r\npt.santandertotta.mobileempresas\r\nABANCA - Portugal:\r\ncom.abanca.bm.pt\r\nWizink. Um banco. Infinitas possibilidades:\r\napp.wizink.pt\r\nBankinter Portugal:\r\ncom.bankinter.portugal.bmb\r\nBanco BiG Portugal:\r\npt.bigonline.BiGMobile\r\nMB WAY:\r\npt.sibs.android.mbway\r\nQatar List\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 41 of 48\n\nQIB Mobile:\r\ncom.pozitron.qib\r\nDoha Bank Mobile Banking:\r\ncom.db.mobilebanking\r\nQNB Mobile:\r\ncom.vipera.ts.starter.QNB\r\nQIIB Mobile:\r\ncom.QIIB\r\nAhlibank Personal Mobile App:\r\ncom.ahlibank.personal\r\nHSBC Qatar:\r\nqa.hsbc.hsbcqatar\r\nKFC Qatar - Order food online:\r\ncom.kfc.qatar\r\nKarwa Taxi - Official taxi:\r\ncom.karwatechnologies.karwataxi\r\nMashreq Qatar:\r\ncom.vipera.ts.starter.MashreqQA\r\nRomania List\r\nLibra Mobile Banking:\r\nlibra.mobile.banking\r\nFirst Bank Romania:\r\nro.firstbank.direct\r\nGeorge Romania:\r\nro.bcr.georgego\r\nRaiffeisen SmartToken:\r\nro.raiffeisen.eToken\r\nRaiffeisen Smart Mobile PI:\r\nro.raiffeisen.smartmobile\r\nNeoBT:\r\ncom.ebankit.com.bt\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 42 of 48\n\nING HomeBank:\r\nro.ing.mobile.banking.android.activity\r\nING Business:\r\nro.ing.business\r\nMyBRD Mobile:\r\nbrd.bankingapp.android\r\nBanca Transilvania:\r\nro.btrl.mobile\r\nMobile Banking (UniCredit Bank Romania):\r\nhr.asseco.android.jimba.mUCI.ro\r\nCEC Bank Mobile Banking:\r\nhr.asseco.android.jimba.cecro\r\nm-conect (Credit Agricole Bank Romania S.A.):\r\nro.ca.dem\r\nGaranti BBVA Romania:\r\ncom.garantibank.cepsubesiro\r\nAlpha Online Banking:\r\ncom.ofss.fcdb.mobile.android.alpharom.alphaandroid\r\nTurkey List\r\nFibabanka:\r\ncom.fibabanka.Fibabanka.mobile\r\nFibabanka Kurumsal Mobil:\r\ncom.fibabanka.mobile\r\nPaycell – Dijital Cüzdan, Ödeme ve Kart:\r\ncom.turkcell.paycell\r\nQNB Finansbank:\r\ncom.finansbank.mobile.cepsube\r\nING Mobil:\r\ncom.ingbanktr.ingmobil\r\nininal:\r\ncom.ininal.wallet\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 43 of 48\n\nAkbank:\r\ncom.akbank.android.apps.akbank_direkt\r\nKuveyt Türk Mobile:\r\ncom.kuveytturk.mobil\r\nOdeabank:\r\ncom.magiclick.odeabank\r\nPapara:\r\ncom.mobillium.papara\r\nPTTBank:\r\ncom.pttfinans\r\nTürkiye Finans Mobil Şube:\r\ncom.tfkb\r\nHalkbank Mobil:\r\ncom.tmobtech.halkbank\r\nKatılım Mobil:\r\ncom.ziraatkatilim.mobilebanking\r\nEnpara.com Şirketim Cep Şubesi:\r\nfinansbank.enpara.sirketim\r\ne-Devlet Kapısı:\r\ntr.gov.turkiye.edevlet.kapisi\r\nTrendyol - Online Alışveriş:\r\ntrendyol.com\r\nN Kolay:\r\ncom.aktifbank.nkolay\r\nAlbaraka Mobil:\r\ncom.albarakaapp\r\nAnadolubank Mobil:\r\ncom.anadolubank.android\r\nfastPay:\r\ncom.intertech.mobilemoneytransfer.activity\r\nMaximum İşyerim:\r\ncom.isbank.isyerim\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 44 of 48\n\nİşCep - Mobil Bankacılık:\r\ncom.pozitron.iscep\r\nCEPTETEB:\r\ncom.teb\r\nCEPTETEB İŞTE:\r\ncom.teb.kurumsal\r\nEnpara.com Cep Şubesi:\r\nfinansbank.enpara\r\nPeP:\r\npaladyum.peppara\r\nAlternatif Bank Mobil:\r\ntr.com.abank.dijital\r\nHSBC Turkiye:\r\ntr.com.hsbc.hsbcturkey.uk\r\nParam:\r\ntr.com.param.android\r\nMobilDeniz:\r\ncom.denizbank.mobildeniz\r\nGaranti BBVA Mobile:\r\ncom.garanti.cepsubesi\r\nVakıfBank Mobil Bankacılık:\r\ncom.vakifbank.mobile\r\nYapı Kredi Mobile:\r\ncom.ykb.android\r\nZiraat Mobil:\r\ncom.ziraat.ziraatmobil\r\nIsrael List\r\ncom.fibi.nativeapp (NEW)\r\ncom.ideomobile.discount (NEW)\r\ncom.ideomobile.hapoalim (NEW)\r\ncom.leumi.leumiwallet (NEW)\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 45 of 48\n\ncom.MizrahiTefahot.nh (NEW)\r\nil.co.yahav.mobbanking (NEW)\r\nJapan List\r\njp.co.smbc.direct\r\njp.japanpost.post.postbox.android\r\njp.co.aeonbank.android.passbook\r\ncom.kakaobank.channel\r\ncom.feib.appbank\r\ncom.ubs.swidKXJ.android\r\ncom.willmobile.mobilebank.fcb\r\ncom.mtel.androidbea\r\njp.co.jcb.my\r\njp.co.netbk\r\njp.co.rakuten_bank.rakutenbank\r\njp.co.nttdata\r\njp.ne.paypay.android.app\r\njp.auone.wallet\r\ncc.bitbank.bitbank\r\ncom.quoine.quoinex.light\r\njp.coincheck.android\r\nModern mobile malware for example “MetaDroid”, has an advanced implementation of WEB-injects aimed\r\ntowards banking platforms, and may use several injects simultaneously. Below is an example of 5 victims using\r\nmobile devices under Android OS from China, Finland, Netherlands, France and United States with collected\r\ncredentials from popular services.\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 46 of 48\n\nOnce the victim has been successfully infected and credentials have been delivered to a C2C Server, mobile\r\nmalware enabled operators execute various commands to manage the victim and to perform actions on their\r\ndevices for further successful theft (“Get SMS list”, “Send SMS” or “Forward Call”, for example:- when\r\ninteracting with the bank’s validation systems to confirm transaction or OTP code). This set of commands may\r\nvary depending on the mobile banking malware family.\r\nBots like ERMAC have functions to manage WEB-injects from C2C server (“Injections” – on the screenshot\r\nbelow):\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 47 of 48\n\nSignificance\r\nThere is no doubt, “In The Box” may be called the largest and probably the only one in its marketplace category\r\nproviding high-quality webinjects for popular types of mobile malware. It is expected cybercriminals will\r\ncontinue to upgrade their tools to attack consumers, and will start developing more advanced webinjects as well.\r\nFor today, \"In the Box\" is leveraged by cybercriminals to attack over 300 financial institutions (FIs), payment\r\nsystems, social media and online-retailers in 43 countries.\r\nSource: https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nhttps://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace\r\nPage 48 of 48\n\n https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace \nThe majority of high-demand injects is related to payment services including digital banking and cryptocurrency\nexchangers. During November 2022 the actor arranged a significant update of close to 144 injects improving their\nvisual design. \n Page 5 of 48", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://resecurity.com/blog/article/in-the-box-mobile-malware-webinjects-marketplace" ], "report_names": [ "in-the-box-mobile-malware-webinjects-marketplace" ], "threat_actors": [ { "id": "8309f9cf-9abb-4ce3-aa1e-cda7d7f5c1b3", "created_at": "2022-10-25T16:07:23.729215Z", "updated_at": "2026-04-10T02:00:04.729076Z", "deleted_at": null, "main_name": "Indra", "aliases": [], "source_name": "ETDA:Indra", "tools": [ "Stardust" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8d28f58b-5ea2-4450-a74a-4a1e39caba6e", "created_at": "2026-03-16T02:02:50.582318Z", "updated_at": "2026-04-10T02:00:03.777263Z", "deleted_at": null, "main_name": "COASTLIGHT", "aliases": [ "Gonjeshke Darande", "Indra", "Predatory Sparrow" ], "source_name": "Secureworks:COASTLIGHT", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7d5531e2-0ad1-4237-beed-af009035576f", "created_at": "2024-05-01T02:03:07.977868Z", "updated_at": "2026-04-10T02:00:03.817883Z", "deleted_at": null, "main_name": "BRONZE PALACE", "aliases": [ "APT15 ", "BRONZE DAVENPORT ", "BRONZE IDLEWOOD ", "CTG-6119 ", "CTG-6119 ", "CTG-9246 ", "Ke3chang ", "NICKEL ", "Nylon Typhoon ", "Playful Dragon", "Vixen Panda " ], "source_name": "Secureworks:BRONZE PALACE", "tools": [ "BMW", "BS2005", "Enfal", "Mirage", "RoyalCLI", "RoyalDNS" ], "source_id": "Secureworks", "reports": null }, { "id": "219ddb41-2ea8-4121-8b63-8c762f7e15df", "created_at": "2023-01-06T13:46:39.384442Z", "updated_at": "2026-04-10T02:00:03.309654Z", "deleted_at": null, "main_name": "Predatory Sparrow", "aliases": [ "Indra", "Gonjeshke Darande" ], "source_name": "MISPGALAXY:Predatory Sparrow", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434672, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/24bbe5315a0236f51eced9531b2ee623531d90e2.pdf", "text": "https://archive.orkl.eu/24bbe5315a0236f51eced9531b2ee623531d90e2.txt", "img": "https://archive.orkl.eu/24bbe5315a0236f51eced9531b2ee623531d90e2.jpg" } }