{
	"id": "311f5eba-f2c0-48aa-9181-860c5efad4a3",
	"created_at": "2026-04-06T01:32:15.814509Z",
	"updated_at": "2026-04-10T13:11:32.391365Z",
	"deleted_at": null,
	"sha1_hash": "2ede76ad3857ad44649358520839e174ac8e4450",
	"title": "Sunny with a chance of stolen credentials: Malicious weather app found on Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 646452,
	"plain_text": "Sunny with a chance of stolen credentials: Malicious weather app\r\nfound on Google Play\r\nBy Lukas Stefanko\r\nArchived: 2026-04-06 01:27:12 UTC\r\nESET Research\r\nESET has spotted a new banking malware on Google Play. Disguised as a weather forecast app, it steals banking\r\ncredentials and locks screens.\r\n22 Feb 2017  •  , 4 min. read\r\nAndroid users were the target of new banking malware with screen locking capabilities, which was disguised as a\r\nweather forecast app on Google Play.\r\nDetected by ESET as Trojan.Android/Spy.Banker.HU, the malware was a trojanized version of the otherwise\r\nbenign weather forecast application Good Weather.\r\nThe malicious app managed to get around Google’s security mechanisms and appeared in the store on February\r\n4th, only to be reported by ESET two days later and consequently pulled from the store. During its short lifetime,\r\nthe app found its way to devices of up to 5000 users.\r\nBesides the weather forecast functionalities it adopted from the original legitimate application, the trojan is able to\r\nlock and unlock infected devices remotely and intercept text messages. Apart from doing so, the trojan targeted\r\nthe users of 22 Turkish mobile banking apps, whose credentials were harvested using phony login forms.\r\nFigure 1: Trojanized Good Weather app on Google Play\r\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 1 of 9\n\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 2 of 9\n\nFigure 2: Malicious app description as found on Google Play \r\nHow does it operate?\r\nAfter the app is installed by an unsuspecting user, its weather-themed icon disappears. The infected device then\r\ndisplays a fake system screen requesting device administrator rights on behalf of fictitious “System update”. By\r\nenabling these rights, the victim allows the malware to Change the screen-unlock password and Lock the screen.\r\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 3 of 9\n\nFigure 3: Green - legitimate Good Weather icon, Red – malicious version\r\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 4 of 9\n\nFigure 4: Fake “System update” demanding device administrator rights\r\nTogether with the permission to intercept text messages obtained during the installation, the trojan is now all set to\r\nstart its malicious activity.\r\nUsers who are not alarmed at this point might be pleased with the new weather widget they can add to their home\r\nscreens. However, in the background, the malware is getting to work sharing device information with its C\u0026C\r\nserver.\r\nDepending on the command it gets in return, it can intercept received text messages and send them to the server,\r\nremotely lock and unlock the device by setting a lock screen password of the attackers’ choice, and harvest\r\nbanking credentials.\r\nThe trojan displays a fake login screen once the user runs one of the targeted banking apps and sends entered data\r\nto the attacker. Thanks to the permission to intercept the victims’ text messages, the malware is also able to bypass\r\nSMS-based two-factor authentication.\r\nAs for the device locking, we suspect this function enters the picture when cashing out the compromised bank\r\naccount, to keep the fraudulent activity hidden from the user. Once locked out, all victims can do is wait until the\r\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 5 of 9\n\nmalware receives a command to unlock the device.\r\nHas my device been infected? How do I clean it?\r\nIf you’ve recently installed a weather app from the Play Store, you might want to check if you haven’t been one of\r\nthe victims of this banking trojan.\r\nIn case you think you might have downloaded an app named Good Weather, check for its icon under your apps.\r\nSee the yellow icon from Fig. 3? Your app is safe. Can’t find any icon and the app only works as a widget? Search\r\nfurther under Settings -\u003e Application Manger. If you find the app with its blue icon in your Application Manager,\r\nas depicted below, you have downloaded the malicious Good Weather imitation.\r\nTo clean your device, you can turn to a renowned mobile security solution, such as ESET Mobile Security, or you\r\ncan remove the malware manually.\r\nTo manually uninstall the trojan, it is first necessary to deactivate its device administrator rights found under\r\nSettings -\u003e Security -\u003e System update. With that done, you can uninstall the malicious app in Settings -\u003e\r\nApplication Manger -\u003e Good Weather.\r\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 6 of 9\n\nFigure 5: Malware disguised as System update under active Device administrators\r\nFigure 6: The trojan in Application Manager\r\nHow to stay safe\r\nSince the trojanized version of the app has already been pulled from the store, it is safe to download Good\r\nWeather, as originally delivered to Google Play by the developer AsdTm.\r\nHowever, as malicious fakes of legitimate apps continue to infiltrate the Play Store, it’s good to stick to some\r\nbasic principles to keep you from encountering them first-hand.\r\nAlthough not flawless, Google Play does employ advanced security mechanisms to keep malware out. As this may\r\nnot be the case with alternative app stores or other unknown sources, opt for the official Google Play store\r\nwhenever possible.\r\nWhile downloading from the Play store, make sure to get to know the app permissions before installing or\r\nupdating. Instead of automatically giving an app the permissions it demands, consider what they mean for the app\r\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 7 of 9\n\nas well as your device. If anything seems out of line, read what other users write in their reviews and rethink\r\ndownloading accordingly.\r\nAfter running anything you’ve installed on your mobile device, keep paying attention to what permissions and\r\nrights it requests. An app that won’t run without advanced permissions that aren’t connected to its intended\r\nfunction might be an app you don’t want installed on your phone.\r\nLast but not least, even if all else fails, a reputable mobile security solution will protect your device from active\r\nthreats.\r\nIf you’d like to find out more about Android-based malware, look into our latest research on the topic.\r\nYou’re also welcome to stop by ESET’s stand at this year’s Mobile World Congress. \r\nAnalyzed sample's Indicators of Compromise (IoCs)\r\nPackage Name Hash Detection\r\ngoodish.weather A69C9BAD3DB04D106D92FD82EF4503EA012D0DA9 Android/Spy.Banker.HU\r\nTargeted applications\r\ncom.garanti.cepsubesi\r\ncom.garanti.cepbank\r\ncom.pozitron.iscep\r\ncom.softtech.isbankasi\r\ncom.teb\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.akbank.softotp\r\ncom.akbank.android.apps.akbank_direkt_tablet\r\ncom.ykb.androidtablet\r\ncom.ykb.android.mobilonay\r\ncom.finansbank.mobile.cepsube\r\nfinansbank.enpara\r\ncom.tmobtech.halkbank\r\nbiz.mobinex.android.apps.cep_sifrematik\r\ncom.vakifbank.mobile\r\ncom.ingbanktr.ingmobil\r\ncom.tmob.denizbank\r\ntr.com.sekerbilisim.mbank\r\ncom.ziraat.ziraatmobil\r\ncom.intertech.mobilemoneytransfer.activity\r\ncom.kuveytturk.mobil\r\ncom.magiclick.odeabank\r\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 8 of 9\n\nSource: https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nhttps://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/"
	],
	"report_names": [
		"sunny-chance-stolen-credentials-malicious-weather-app-found-google-play"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439135,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ede76ad3857ad44649358520839e174ac8e4450.pdf",
		"text": "https://archive.orkl.eu/2ede76ad3857ad44649358520839e174ac8e4450.txt",
		"img": "https://archive.orkl.eu/2ede76ad3857ad44649358520839e174ac8e4450.jpg"
	}
}