{
	"id": "fc74cd95-ada1-4461-81a3-d2773f406e40",
	"created_at": "2026-04-06T01:29:17.760296Z",
	"updated_at": "2026-04-10T03:30:33.586168Z",
	"deleted_at": null,
	"sha1_hash": "31163e18669b45be0ff647e57a70c2bbc17c9fa7",
	"title": "Doctor Web anticipates increase in number of banking Trojan attacks on Android users",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 225267,
	"plain_text": "Doctor Web anticipates increase in number of banking Trojan\r\nattacks on Android users\r\nPublished: 2017-01-20 · Archived: 2026-04-06 00:28:04 UTC\r\nBy continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies\r\nrelated to the collection of visitor statistics.\r\nLearn more\r\n20.01.2017\r\nHot news | Threats to mobile devices | All the news | Virus alerts\r\nJanuary 20, 2017\r\nModern Android banking Trojans are created by virus writers and sold for serious sums as commercial\r\nproducts via underground Internet platforms. However, the source code of one such malicious application\r\nwas recently made public on a hacker forum, along with instructions on how to use it. Doctor Web security\r\nresearchers believe that this may lead to a significant increase in the number of attacks involving Android\r\nbanking Trojans.\r\nThe virus writers published the source code of the new malicious application just one month ago, but Doctor Web\r\nsecurity researchers have already detected an Android Banker that has been created using the information\r\npublished by the cybercriminals. This Trojan, dubbed Android.BankBot.149.origin, is distributed under the guise\r\nof benign programs. When a smartphone or tablet user installs and runs Android.BankBot.149.origin, the banker\r\nprompts the user to grant it administrative privileges to hinder its removal from the system. After that it hides\r\nitself from the user by removing its shortcut from the home screen.\r\n \r\nhttps://news.drweb.com/show/?i=11104\u0026lng=en\r\nPage 1 of 4\n\nThen Android.BankBot.149.origin connects to the command and control (C\u0026C) server and awaits instructions.\r\nThe Trojan can execute the following actions:\r\nsend SMS messages;\r\nintercept SMS messages;\r\nrequest administrator privileges;\r\nsend USSD requests;\r\nobtain all contact list phone numbers;\r\nsend SMS messages containing the text specified in a command to all contact list numbers;\r\ntrack device geolocation via GPS satellites;\r\nrequest additional permission on devices using the most recent Android versions to send SMS messages,\r\nmake calls, and access the contact list and GPS receiver;\r\nreceive an executable file containing a list of attacked banking applications;\r\nshow phishing dialogs.\r\nLike many other Android bankers, Android.BankBot.149.origin steals confidential user information by tracking\r\nthe launch of online banking applications and payment system software. One sample examined by Doctor Web\r\nsecurity researchers controls over three dozen such programs. Once Android.BankBot.149.origin detects that any\r\nof the aforementioned applications have been launched, it loads the relevant phishing input form to access user\r\nbank account login and password information and displays it on top of the attacked application.\r\n \r\n \r\nThe Trojan not only steals mobile banking login credentials but also bank card information belonging to the owner\r\nof the compromised device. For this purpose, Android.BankBot.149.origin tracks the launch of such popular\r\nhttps://news.drweb.com/show/?i=11104\u0026lng=en\r\nPage 2 of 4\n\napplications as Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, and Play\r\nStore and displays a phishing dialog resembling the one used to make purchases on Google Play.\r\n \r\nWhen an SMS message arrives, the Trojan turns off all sounds and vibrations, sends the message content to the\r\ncybercriminals, and attempts to delete the original messages from the list of incoming SMS. As a result, a user\r\ncould miss not only bank notifications about the unplanned transactions but also other incoming messages.\r\nAndroid.BankBot.149.origin uploads all the stolen data on the C\u0026C server, and it becomes available on the\r\nadministration panel. This helps cybercriminals to not only obtain the information they are interested in but also\r\ncontrol the malicious application.\r\nIn general, the possibilities of this Trojan are quite standard for modern Android bankers. However, as\r\ncybercriminals created it with publicly available information, one can anticipate that many Trojans similar to it\r\nhttps://news.drweb.com/show/?i=11104\u0026lng=en\r\nPage 3 of 4\n\nwill appear. Dr.Web for Android successfully detects Android.BankBot.149.origin; therefore, this malicious\r\nprogram poses no threat to our users.\r\nMore about this Trojan\r\n11104 en 5\r\n0\r\nDoctor Web’s Q1 2026 review of virus activity on mobile devices\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDoctor Web’s Q1 2026 virus activity review\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDr.Web for personal computers receives SKD AWARDS product excellence distinction\r\n24.03.2026\r\nCorporate news | Dr.Web products\r\nRead\r\nSource: https://news.drweb.com/show/?i=11104\u0026lng=en\r\nhttps://news.drweb.com/show/?i=11104\u0026lng=en\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://news.drweb.com/show/?i=11104\u0026lng=en"
	],
	"report_names": [
		"?i=11104\u0026lng=en"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775438957,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/31163e18669b45be0ff647e57a70c2bbc17c9fa7.pdf",
		"text": "https://archive.orkl.eu/31163e18669b45be0ff647e57a70c2bbc17c9fa7.txt",
		"img": "https://archive.orkl.eu/31163e18669b45be0ff647e57a70c2bbc17c9fa7.jpg"
	}
}