{
	"id": "c7d36650-16a6-41fa-aa13-b35c32c8f4ed",
	"created_at": "2026-04-06T00:19:31.529684Z",
	"updated_at": "2026-04-10T13:12:42.347717Z",
	"deleted_at": null,
	"sha1_hash": "3942c5383b6da44ce413d5da829e9491f8865b25",
	"title": "Rise of Banking Trojan Dropper in Google Play | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 618755,
	"plain_text": "Rise of Banking Trojan Dropper in Google Play | Zscaler\r\nBy Himanshu Sharma, Viral Gandhi\r\nPublished: 2022-11-10 · Archived: 2026-04-05 14:40:18 UTC\r\nThe Zscaler ThreatLabz team has recently discovered the Xenomorph banking trojan embedded in a Lifestyle app\r\nin the Google Play store. The app is “Todo: Day manager,” and has over 1,000 downloads. This is the latest in a\r\ndisturbing string of hidden malware in the Google Play store: in the last 3 months, ThreatLabz has reported over\r\n50+ apps resulting in 500k+ downloads, embedding such malware families as Joker, Harly, Coper, and Adfraud.\r\nFig no 1.Malware Installer From Play Store\r\nXenomorph is a trojan that steals credentials from banking applications on users’ devices. It is also capable of\r\nintercepting users’ SMS messages and notifications, enabling it to steal one-time passwords and multifactor\r\nauthentication requests. \r\nOur analysis found that the Xenomorph banking malware is dropped from GitHub as a fake Google Service\r\napplication upon installation of the app. It starts with asking users to enable access permission. Once provided, it\r\nadds itself as a device admin and prevents users from disabling Device Admin, making it uninstallable from the\r\nphone. Xenomorph creates an overlay onto legit banking applications to trick users into entering their credentials. \r\nA similar infection cycle was observed three months ago with the Coper banking trojan. This trojan was similarly\r\nembedded in apps on the Google Play store, and sourced its malware payload from the Github repo.\r\nTechnical Details\r\nBelow is the Xenomorph infection cycle once a user downloads an app and opens it.\r\nhttps://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nPage 1 of 8\n\nFig no 2.Flow of infection\r\nWhen the app is first opened, it reaches out to a Firebase server to get the stage/banking malware payload URL. It\r\nthen downloads the malicious Xenomorph banking trojan samples from Github. This banking malware later\r\nreaches out to the command-and-control (C2) servers decoded either via Telegram page content or from a static\r\ncode routine to request further commands, extending the infection. \r\nThe parent malware downloader (Google Play Store) application gets its config from Firebase for its database.\r\nFig no 3. Malware enables downloader.\r\nFig no 4. Downloader not enabled.\r\nAs shown in the above screen shot, the malware will only download further banking payloads if the “Enabled”\r\nparameter is set to true.\r\nThe following screenshot shows how the Firebase database malware uses Github links to download Xenomorph\r\npayloads:\r\nhttps://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nPage 2 of 8\n\nFig no 5. The malware writes dropper URLs in local DB of firebase\r\nThe screenshots in Figures 6 and 7 below show the C2 retrieval from a Telegram page. Here the banking payload\r\nhas the Telegram page link encoded with RC4 encryption. Upon execution, the banking payload will reach out to\r\nthe Telegram page and download the content hosted on that page.\r\nFig no 6.Uses Telegram link response to create C2 in addition to static encrypted C2 present in app\r\nhttps://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nPage 3 of 8\n\nFig no 7. Telegram channel preview where string in between hearts emoji is used to create C2\r\nAs per the following screenshot, the payload will decrypt the C2 server address from the downloaded content:\r\nhttps://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nPage 4 of 8\n\nFig no 8. Decode C2 from Telegram\r\nThreatLabz also observed RC4 encoded C2 domains stored inside the code. The following screenshot shows the\r\nC2 request in which the payload sends all the installed applications to C2 in order to receive further instructions.\r\nIn one case, it will present the fake login page of a targeted banking application if the legitimate application is\r\ninstalled in the infected device.\r\nFig no 9. Malware uploading all package information to receive commands\r\nhttps://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nPage 5 of 8\n\nThreatLabz also observed another application, named “経費キーパー” (Expense Keeper), exhibiting similar\r\nbehavior. On execution of this application, it is observed that the “Enabled parameter” is set to false, same as the\r\nexecution previously shown in Figure 4. Due to that, it was not possible to retrieve the Dropper URL for the\r\nbanking payload. ThreatLabz is working with the Google Security team for the same.\r\nFig no 10. Suspicious Installer exhibiting the same behavior\r\nIoCs\r\nXenomorph banking trojan\r\nPackage Name MD5\r\nnjuknf.cpvmqe.degjia b8b8706807a97c40940109a93058c3d0\r\nylyove.pkmcsy.upvpta 98ea3fe61fde0c053dfac61977a11488\r\nylykau.jhfxjd.hlhhwl df57895cfc79ee8812aac5756ab4bcc8\r\nlkvrny.bbslie.mrgsdy 73511ef7bb9d59b3d91dbeef5f93eec0\r\ngkapsv.nlitfn.fzteaf f0b001dbe36f45cedcb15e3f9fc02fd7\r\nbinono.bgcwvl.iupqtk 8437e226e55ba6dea9a168bee5787b0d\r\ncfbyzn.zhxxjj.sziece 8f66412e945ca9a75797d5f5eba9765c\r\nhttps://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nPage 6 of 8\n\ngfgnfe.rcsjkm.abwxdj 6a117cafa32a680dc94f455745291f0f\r\nusyjui.monkab.acacpn cb9500f910bd655df444f7d43d0298f9\r\ngnvbgm.ipblyp.bpnyrg d95c03247a58d3fabb476a7f3241f3a1\r\nxsgrsn.nicojr.uaqxws cd63afae858fdf75f34aae05e36b8a34\r\nxhlkae.ligagt.dmihjy c5d510251a34f52427d133a6f9248cbf\r\nqlvsvm.oqsncp.otgbxc 781bbaee614697beecfcbe9a2f9dd820\r\nrxreyj.obxmlg.rjluib 49c4801abb6c92d17c8021c2f656c644\r\nbrpdxm.orolnd.jsxhrp 1829589d95bdd2c30f0bef154decd426\r\nwwzaqw.eejyqr.czrldy e834676cdbd63ce4eb613499605dc365\r\nogbfbt.rhrnua.kccuoh 9e498ba660bdcb279149e6a5986c2793\r\nlnckvn.vlmjxx.uwcpub 4b2e849543b0ecaec1885170a5ef5243\r\nvjqfyn.ygmzrs.trlvch 7e4f1deb5b21d47a7c41ef1a5f43a2f2\r\nblglyu.rjqwgg.vveize 7f574986dc8a03e6a4cba60d1ac4f7d1\r\nC2s\r\nhxxps[://]github[.]com/blsmcamp/updt\r\ngogoanalytics[.]click\r\ngogoanalytics[.]digital\r\nhttps://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nPage 7 of 8\n\nConclusion\r\nAt Zscaler we proactively detect and monitor such applications to secure our clients. Such bank phishing installers\r\nmost of the time rely on tricking users to install malicious applications. Users are advised to keep an eye on what\r\napplication is being installed. A Play Store application is not supposed to side load or ask users to install from\r\nunknown sources. We believe hostile phishing downloaders will further increase in prevalence in the future. User\r\nvigilance is of the utmost importance to defeat these phishing campaigns.\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nhttps://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0\r\nPage 8 of 8\n\nhas the Telegram the Telegram page link page and download encoded with RC4 the content encryption. hosted on Upon execution, that page. the banking payload will reach out to\nFig no 6.Uses Telegram link response to create C2 in addition to static encrypted C2 present in app\n   Page 3 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/rise-banking-trojan-dropper-google-play-0"
	],
	"report_names": [
		"rise-banking-trojan-dropper-google-play-0"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434771,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3942c5383b6da44ce413d5da829e9491f8865b25.pdf",
		"text": "https://archive.orkl.eu/3942c5383b6da44ce413d5da829e9491f8865b25.txt",
		"img": "https://archive.orkl.eu/3942c5383b6da44ce413d5da829e9491f8865b25.jpg"
	}
}