{ "id": "1c480692-a42a-4072-9e4f-972a3cf99899", "created_at": "2026-04-06T02:10:44.544077Z", "updated_at": "2026-04-10T13:12:06.61957Z", "deleted_at": null, "sha1_hash": "493c4d7c3b0f99b8478fb11aace1bd64d26d4f0c", "title": "The Rage of Android Banking Trojans", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4763534, "plain_text": "The Rage of Android Banking Trojans\r\nPublished: 2024-10-01 · Archived: 2026-04-06 01:37:55 UTC\r\nIntroduction\r\nIn Greek mythology Achilles was quite simply invincible during the Trojan War; he was also rather proud and\r\nbad-tempered for his own good and his rage would cost both his countrymen and the enemy dearly. In the past 7\r\nyears, ThreatFabric has discovered many new Android banking trojans, all with one common trait: an insatiable\r\nrage against Android banking apps. In this blog we will discuss what have been the underlying catalysts behind\r\nthis rage and what new weapons are currently filling the virtual Trojan Horses. The second part of the blog is\r\nfocused on new on-device fraud capabilities utilised by malware families to perform fraud in an automated way\r\nusing the victims own Android banking app.\r\nCatalysts\r\nOne of the most obvious catalysts that played an important role in The Rage we are experiencing are the source\r\ncode leaks of two very effective bots, namely Anubis 2.5 and Cerberus: these leaks resulted in multiple private\r\ntrojan versions actively targeting regions such as Poland, Spain, Turkey, and Italy (local actors).\r\nWe also noticed a very clear new trend adopted by Android banking families in the way they advertise themselves.\r\nFrom 2018 to mid 2020 Android banking trojans from families like Red Alert or Cerberus, had all adopted the\r\nMalware as a Service (MaaS) model: actors would rent their malware services on a subscription basis and would\r\naggressively advertise their service on multiple dark web forums. What’s noticeable is that the MaaS strategy for\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 1 of 23\n\nmost adversaries has resulted in financial gain on short term but has not been very sustainable over time (Maza-in’s Anubis and Red Alert as MaaS are good examples). However, recent malware families, including Alien or\r\nMedusa among others, adopted a more reserved approach, limiting their exposure on public forums and using\r\nside-channels for the customers to communicate directly with the vendor.\r\nLooking at the current successful infections rates of the Trojans families we are tracking, we can only conclude\r\nthat the new private strategy is paying out and seems to be a more sustainable business model.\r\nThe last catalyst that endorses The Rage is the professionalization in malware distribution campaigns. Within the\r\nAndroid banking trojans ecosystem, we observed an increase in the number of advisories providing so-called\r\ndedicated trojan distribution services (DaaS). These services usually consist of dropper/loader Android apps\r\n(masquerading as legitimate apps) in different app stores, including the Google Play Store. The Rage does not stop\r\nat abusing trusted apps stores. Recently we have seen a considerable number of distribution campaigns utilizing\r\nGitHub, Discord and other social media channels as main storage and spreading tactic.\r\nStatistics\r\nOur Mobile Threat Intel (MTI) platform, responsible for classifying Android banking malware samples,\r\ncataloguing their technical malware capabilities and extracting the so-called overlay targets, has observed a 129%\r\nincrease in the list of apps targeted with overlays attacks since 2019. The largest increase has taken place the past\r\nyear and The Rage is continuing in 2021.\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 2 of 23\n\nWith many different crypto-currencies hitting their highest market value in 2021, populating newsfeeds all over\r\nthe world and now more than ever being discussed extensively in mainstream media, it is not a surprise that\r\ncrypto-currency wallets are the most common targets for this new wave of banking trojans. Another important fact\r\nto consider is that, while banking apps tend to have different versions of their APK based on the country they\r\nserve, crypto-wallets tend to have one unique APK, making it easier for malicious actors to target them.\r\nNew capabilities \u0026 trends\r\nA clear new trend in Android banking trojans families is the focus on developing malware capabilities that allow\r\nactors to perform fraud on a victims in an automated way using the victims own banking or Bitcoin wallet apps,\r\noverview:\r\nScaling on-device fraud attempts by developing Automated Transfer System modules powered by\r\nAccessibilityService.\r\nNew ways to start a Remote Access sessions (RAT) relaying on Android native code to avoid additional\r\ninstallations (VNC/Teamvier)\r\nLogging all (secret) content inside apps, including OTP apps like Authenticator (Google/Microsoft).\r\nManipulating the beneficiary input fields of Android banking apps while the victim is in the flow of\r\nperforming payments (very successful attack).\r\nEntering a new ERA shifting focus from credential stealing capabilities to on-device fraud automation.\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 3 of 23\n\nFor the past 5 years the main way to steal mobile banking login credentials and verification codes (OTP) has been\r\nthe use of so-called overlay attacks. With this attack pattern (MITRE TTP: T1411) attackers harvest login\r\ncredentials with a fake login window on top of the original banking app. In the past year malicious actors mainly\r\nused these stolen credentials to register a new device to perform fraud or steal the currency in a crypto wallet\r\nusing a different channel, for example through the web interface. This attack is also known as device registrations\r\nfraud, which results in financial loss on a separate device or channel.\r\nHowever, as covered in our 2020 blog “Year of the RAT”, actors moved to execute financial fraud scenarios\r\ndirectly on the victim’s device by installing additional services such as a back-connect proxy and remote access\r\nsoftware, such as VNC or TeamViewer, to control the victim’s device remotely.\r\nThis year actors have taken the so called on-device fraud strategy to the next level by performing actions in the\r\ntargeted banking app on behalf of the victim and even automating fraudulent transfers.\r\nAutomated Transfer System (ATS)\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 4 of 23\n\nAndroid’s Accessibility Service’s main purpose is to assist users with disabilities. However, when a victim is lured\r\nby Android banking trojans into enabling this service with enticing and repeating fake messages, the (malicious)\r\nAccessibilityService can read anything a normal user can see and recreate any action an user can do on an Android\r\ndevice.\r\nLet’s dig a bit deeper on how this works by analyzing the trojans that have mastered this attack vector this year:\r\nGustuff and Medusa. Let’s take a transfer activity from a demo banking app as an example: from an Accessibility\r\nperspective, all the input fields have a so called @Android:id label which can be read and controlled by any\r\nAccessiblityService running on the victim’s device. In this example, by providing the bot\r\ncommand  setText(TEXT) , an attacker can, in a fully automated way, change the beneficiary account number to\r\nanything he/she wants in order to transfer funds to a money mule. In general, the malware’s Accessibility script\r\nfirst reads the balance information of a victim (also through an automated process) before they perform this attack.\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 5 of 23\n\nTo provide a bit more context, the Accessibility script below is used by the Android Banking trojan Gustuff for the\r\nSt.George Android banking app: it performs a login on behalf of the victim to start a session in a timely fashion\r\n(by using some sleep cycles to look more legitimate) and uses this active apps session to script against the transfer\r\nscreen of the mobile banking app to perform a payment to a mule on behalf of the victim, successfully completing\r\na full ATS attack.\r\nfunction stgeorge(info) {\r\n let actions = [{\r\n \"type\": \"open\",\r\n \"open\": \"launch\",\r\n \"value\": \"org.stgeorge.bank\"\r\n }, {\r\n \"type\": \"delay\",\r\n \"time\": 1000\r\n }, {\r\n \"type\": \"windows\",\r\n \"root\": true\r\n }, {\r\n \"type\": \"interactive\",\r\n \"viewId\": \"org.stgeorge.bank:id/continue_button\",\r\n \"click\": true\r\n }, {\r\n \"type\": \"delay\",\r\n \"time\": 1000\r\n }, {\r\n \"type\": \"interactive\",\r\n \"viewId\": \"org.stgeorge.bank:id/btn_logon\",\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 6 of 23\n\n\"click\": true\r\n }, {\r\n \"type\": \"delay\",\r\n \"time\": 1000\r\n }, {\r\n \"type\": \"interactive\",\r\n \"viewId\": \"org.stgeorge.bank:id/logon_button\",\r\n \"click\": true\r\n }, {\r\n \"type\": \"delay\",\r\n \"time\": 8000\r\n }];\r\n if (info.securityNum) {\r\n actions = actions.concat([{\r\n \"type\": \"interactive\",\r\n \"viewId\": \"org.stgeorge.bank:id/pin_editor\",\r\n \"setText\": info.securityNum\r\n }]);\r\n } else if (info.pass) {\r\n actions = actions.concat([{\r\n \"type\": \"interactive\",\r\n \"viewId\": \"org.stgeorge.bank:id/internet_password_ET\",\r\n \"setText\": info.pass\r\n }, {\r\n \"type\": \"delay\",\r\n \"time\": 500\r\n }, {\r\n \"type\": \"interactive\",\r\n \"viewId\": \"org.stgeorge.bank:id/login_Button\",\r\n \"click\": true\r\n }]);\r\n }\r\n return utils.buildCommand(\"array\", {\r\n \"actions\": actions\r\n });\r\n}\r\nThis capability adds a new layer of danger to the Android banking malware ecosystem, by making large scale\r\ncampaigns more automated and easier to manage for threat actors. To summarize the on-device fraud MO:\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 7 of 23\n\nAccessibility Event Logging\r\nAnother incredibly powerful feature of multiple families, including Medusa and Gustuff, is event logging. If the\r\nbot receives the command from the C2, it starts to recursively collect the information about the active window\r\nstarting from the root node, which means it is able to collect information about everything that is displayed on the\r\nscreen. Information of interest includes, but is not limited to, the following:\r\nNode bounds in screen coordinates (position of elements in the UI)\r\nText of the node (the text inside an element)\r\nWhether this node is password (if the element is a field of type “password”)\r\nThe following snippet from Anatsa shows the code that collects the information of active Node and all its children\r\nthat are matching a specific string:\r\npublic static List getAllNodes(AccessibilityNodeInfo arg6, String arg7) {\r\n String v0 = arg7.toLowerCase();\r\n ArrayList v1 = new ArrayList();\r\n if (arg6 == null) {\r\n return v1;\r\n }\r\n int v2 = arg6.getChildCount();\r\n int v3;\r\n for (v3 = 0; v3 \u003c v2; ++v3) {\r\n AccessibilityNodeInfo v4 = arg6.getChild(v3);\r\n if (v4 != null) {\r\n if (v4.getClassName() != null \u0026\u0026 v4.getClassName().toString().toLowerCase().contains(v0))) {\r\n v1.add(v4);\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 8 of 23\n\n} else {\r\n v1.addAll(Utils.getAllNodes(v4, arg7));\r\n }\r\n }\r\n}\r\nreturn v1;\r\n}\r\nBy collecting all this data, the actor can get a better understanding of the interface of different applications and\r\ntherefore implement relevant scenarios for accessibility scripting feature. Moreover, it allows actors to have\r\ndeeper insights on the applications the victim uses, its typical usage and it allows actors to intercept some of its\r\ndata.\r\nReplacing account number in input fields\r\nAnother Accessibility trick has been introduced by Medusa Android banking trojan, and it is triggered by the\r\ncommand  fillfocus . This feature allows the actor to change the content of the focused input field with some\r\ntext specified by the attacker. This feature can be used to invisibly substitute the victim’s input with the one set by\r\nthe actor(s). This is done by abusing the AccessibilityService. The following snippet shows the code that sets the\r\nfocused input field with text received from the C2:\r\npublic void fillfocus(int cmdId, String t_text) {\r\n if (WorkerAccessibilityService.accessibilityService != null) {\r\n Bundle bundle = new Bundle();\r\n bundle.putCharSequence(\"ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE\", t_text); //find FOCUS_INPUT field\r\n AccessibilityNodeInfo accessNodeInfo = WorkerAccessibilityService.accessibilityService.findFocus(1);\r\n if (accessNodeInfo != null) {\r\n //perform ACTION_SET_TEXT\r\n accessNodeInfo.performAction(0x200000, bundle);\r\n }\r\n this.sendCmdExecuted(cmdId);\r\n return;\r\n }\r\n throw null;\r\n}\r\nWith this feature, actors can for example modify the bank account number that the victim selected with one\r\ncontrolled by the attacker, effectively tricking the victim into transferring money to a money mule.\r\nClipper\r\nAnother newly introduced feature is the capability to change the clipboard content to some text specified by the\r\nactor(s). The Medusa Trojan can receive the command “copyclip” with as parameter text to be set. This is a\r\ncommon MO for so called “clippers”, a type of malware that steals or substitutes the clipboard data. Similar in\r\nconcept to the previous technique, it is usually used in order to invisibly substitute some sensitive data such as,\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 9 of 23\n\nIBAN or cryptocurrency wallet address, tricking the victim into performing an operation, such as a transaction, to\r\na beneficiary which was not the original one. The following snippet shows the code that sets the clipboard data\r\nwith text received from the C2:\r\nprivate void copyclip(int cmdId, String textFromC2) {\r\n Context ctx = this.mContext.getApplicationContext();\r\n try {\r\n ((ClipboardManager) ctx.getSystemService(\"clipboard\")).setPrimaryClip(ClipData.newPlainText(\"Copied Text\r\n } catch (Exception unused_ex) {}\r\n this.sendCmdExecuted(cmdId);\r\n}\r\nScreen casting using integrated solutions\r\nIn the past 2 years Android banking trojans actors have focused on adding so called Remote Access Trojan (RAT)\r\ncapabilities by installing and configuring an additional VNC and Team services on the victims. This is a very loud\r\nactivity from malware detection perspective. It seems that new actors behind trojans such as Medusa, have figured\r\nout that the Android OS itself can natively support the hidden RAT objective. Many new families are using\r\nAccessibility services to perform actions on the victims’ behalf in combination with audio and video streaming\r\nusing RTSP (Real Time Streaming Protocol) giving an incredibly powerful feature to the RAT without the need to\r\ninstall additional apps such as VNC/TeamViewer:\r\npublic static String lA(int arg3, String arg4, String arg5, String arg6) {\r\n StringBuilder v0 = new StringBuilder().insert(0, \"m=video 0 RTP/AVP 96\\r\\na=rtpmap:96 H265/90000\\r\\na=fmtp:9\r\n v0.append(arg4);\r\n v0.append(\"; sprop-pps=\");\r\n v0.append(arg5);\r\n v0.append(\"; sprop-vps=\");\r\n v0.append(arg6);\r\n v0.append(\";\\r\\na=control:trackID=\");\r\n v0.append(arg3);\r\n v0.append(\"\\r\\n\");\r\n return v0.toString();\r\n}\r\nDistribution\r\nNew Google Play Store banking malware campaign\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 10 of 23\n\nThreatFabric has been tracking a strong group that has been very successful in spreading trojans on the Google\r\nPlay Store using apps masquerading as “QR Scanners”. The main purpose of these so-called malware dropper\r\napps is to spread a private/customized version of the Anubis Banking Trojan targeting over 1200 banking and\r\ncryptocurrency wallet apps.\r\nThe dropper apps have been successfully reappearing in the Google Play Store over a period of 13 months,\r\nregardless of our strong efforts in reporting these apps as malicious to Google.\r\nThe first Google Play dropper app masquerading as “QR Scanner” appeared in February 2020\r\n(com.tasklog.qrcodescanner) and one of the latest (com.quar.qrscanner) was uploaded to the Play Store on March\r\n2021. This malware distribution campaign has resulted in at least 30.000 infected devices, and the actors behind\r\nthem are preparing a new dropper app at the time of writing.\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 11 of 23\n\nThe dropper apps are only active for a short time with long-time pauses between active periods. To stay under the\r\nradar, it also implements several evasion techniques to bypass static and dynamic analysis during the Google Play\r\nStore evaluation period, as well as to make further analysis by security researchers and AV products more\r\ncomplicated. For example, the string decryption routine will be performed correctly only if a datetime check will\r\nbe passed: if the date is earlier then stated in the code, the decryption will be performed in a wrong way, which\r\nwill prevent the decryption, and therefore the launch of the malicious dropper code.\r\npublic static byte[] decrypt_string(byte[] arg1) {\r\n return qk.is_later_then_05_03_2021() ? ra.xor_int(arg1, rq.int_52) : ra.xor_int(arg1, 0);\r\n}\r\nAfter the deadline passed, the malicious dropper is decrypted and launched. Nevertheless, this stage will also\r\nperform several checks to define if the device is suitable to download the actual payload. The dropper will collect\r\nthe information about the device and send it to the C2: hardware information, list of all system and third-party\r\npackages installed on the device, is device being used to debug applications via USB, etc. On the C2 side the\r\nactor(s) will decide whether to continue with downloading the payload or not.\r\nThe C2 will respond, whether the dropper should download a payload or kill itself. If “kill” command is received,\r\nthe malicious code launched earlier will be deleted from the device and never be launched again.\r\nThe whole process is highly manually maintained by the actor(s), making it difficult to detect from an automated\r\nperspective.\r\nThe actual payload seen by ThreatFabric analysts is a private and customized variant of the Anubis Trojan that is\r\npacked with a commercial tool (Dexprotector). This campaign shows that actor(s) behind banking Trojans are\r\nhighly skilled and inventive to stay under the radar and deliver the malicious applications on users’ devices.\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 12 of 23\n\nConclusion\r\nThere has been a 129% increase in targeted banking apps in the span of only one year. A noticeable addition are\r\ncryptocurrency wallets apps, that are now part of every new Android banking trojan family.\r\nExisting families like Gustuff and new Android Banking Trojans like Medusa have fully adapted to performing\r\non-device fraud attacks by automating the login sequence, checking balance of the victim, and creating payments\r\nto money mules using ATS (Automated Transfer System) modules. This attack vector is achieved by abusing\r\nAccessibility features of the Android operating system. To continue fortifying the on-device fraud strategy,\r\nadversaries also discovered that they can use native Android code (instead of TeamViewer/VNC) to achieve screen\r\nstreaming capabilities (using RTSP), making the attack less noticeable on the victim’s device. Chaining this native\r\nscreen streaming feature of Android with Accessibility controls, such as performing actions (clicks) on the\r\nvictims’ behalf, results in a full hidden Remote Access Trojan (RAT). We can consider these developments a\r\nsignificant threat to mobile payments on the Android platform.\r\nThis overview shows a brief recap of the main ATS capabilities from different families:\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 13 of 23\n\nThe success rate of one Gustuff botnet (4 active botnets at the time of writing) in only one week time consisted in\r\n757 harvested credentials and ATS fraud attempts in countries such as the UK, Canada and Australia.\r\nThe Rage does not end here, adversaries have also proven to continuously bypass Google Play Store malware\r\nprotection controls with apps masquerading as “QR-Reader/Scanner” over a year time resulting in a strong private\r\nbotnet of at least 30.000 infections targeting over 200 banking apps with a private version of Anubis that is\r\nobfuscated with a commercial tool (DexProtector).\r\nMost of the new strains of these malware families are now raging as privately run projects, switching from the\r\nvery loud MaaS (Malware as a Service) trend that we observed last year. This could also be a result of the\r\nincreasing success/attempts of law enforcement efforts to catch and punish the people behind these threats and\r\nboldly disturbing underground forms.\r\nMore than ever, a clear overview and understanding of the mobile banking threat landscape is crucial for mobile\r\npayments, and tools to detect the attack behavior such as ATS from Android banking malware on devices have\r\nbecome invaluable to avoid fraud.\r\nAppendix\r\nIOCs\r\nName SHA256 Hash\r\nAnubis QRcode Dropper 998ba967bb23e6324c8f689ca0e1b5f28434d1ffdd52eac751f0649f037328c1\r\nAnubis.C 617f3969267477d9c50e089139ea7627f1916259fc9b8c5028e2257a7ab7077a\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 14 of 23\n\nName SHA256 Hash\r\nAnatsa.A a20f6c19ef20213df5b8e277d21dd70fe1cf99215ab42c39d69cce2396e72972\r\nMedusa.B 05c8fc94e6f08bb0600fe7d8177a17ad65f01ec34fe749ea4981994dd890b1c8\r\nGustuff.C 3d196d954a2ea68c5ea65901fb7905b4773ead3fdb6967400beb370580e6f4a5\r\nCapabilities\r\nMedusa.B\r\nName Description\r\nClipboard interaction The malware can extract data from or insert data into the device’s clipboard\r\nApp auto-start at\r\ndevice boot\r\nThe malware starts automatically when the device is turned on or restarted\r\nApp termination The malware can terminate apps\r\nPreventing removal The malware can prevent it’s removal\r\nHiding the app icon The malware can hide it’s icon from the application drawer\r\nScreen streaming The malware can stream what is displayed on the device’s screen\r\nAlerts The malware can issue Android alerts with arbitrary text\r\nPush notifications The malware can show push notifications\r\nScreen locking The malware can lock the screen of the infected device\r\n(Partial) Automated\r\nTransfer System\r\nThe malware uses a AccessibilityService to control the infected device and perform\r\nautomated payments using the targeted banking apps (still requires interaction from\r\nthe C2 to initiate the process)\r\nWeb pages The malware can show arbitrary web pages on the infected device\r\nApp removal The malware can remove applications\r\nApp starting The malware can start applications\r\nApp installing The malware can install applications\r\nSMS spamming The malware can perform SMS spam campaigns\r\nSMS sending The malware can send SMS messages\r\nTarget list update Actors can configure targets for overlay phishing attack dynamically\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 15 of 23\n\nName Description\r\nApplication listing The malware can access list of all installed applications and send it to the C2\r\nContact list\r\ncollection\r\nThe malware can read the contact list of the infected device and send it to the C2\r\nDevice info\r\ncollection\r\nThe malware can access device related information(SIM, build info, settings) and\r\nsend it to the C2\r\nAccessibility event\r\nlogging\r\nThe malware uses a AccessibilityService to get a stream of events happening on the\r\ndevice and send it to the C2\r\nSMS forwarding\r\nThe malware can forward all incoming SMS messages to a phone number controlled\r\nby actors\r\nSMS listing The malware can access the content of SMS messages and send it to the C2\r\nKeylogging The malware can log victim’s keystrokes and send them to the C2\r\nDynamic overlaying\r\nThe malware can show phishing screens to steal information. Phishing screens are\r\nretrieved from the C2\r\nAnatsa.A\r\nName Description\r\nClipboard interaction The malware can extract data from or insert data into the device’s clipboard\r\nApp auto-start at\r\ndevice boot\r\nThe malware starts automatically when the device is turned on or restarted\r\nApp termination The malware can terminate apps\r\nPreventing removal The malware can prevent it’s removal\r\nHiding the app icon The malware can hide it’s icon from the application drawer\r\nFiles/pictures\r\ncollection\r\nThe malware can access the file system of the infected device and upload it’s content\r\nto the C2\r\nAlerts The malware can issue Android alerts with arbitrary text\r\nPush notifications The malware can show push notifications\r\nScreen locking The malware can lock the screen of the infected device\r\n(Partial) Automated\r\nTransfer System\r\nThe malware uses a AccessibilityService to control the infected device and perform\r\nautomated payments using the targeted banking apps (still requires interaction from\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 16 of 23\n\nName Description\r\nthe C2 to initiate the process)\r\nWeb pages The malware can show arbitrary web pages on the infected device\r\nApp removal The malware can remove applications\r\nApp starting The malware can start applications\r\nApp installing The malware can install applications\r\nSMS spamming The malware can perform SMS spam campaigns\r\nSMS sending The malware can send SMS messages\r\nTarget list update Actors can configure targets for overlay phishing attack dynamically\r\nApplication listing The malware can access list of all installed applications and send it to the C2\r\nContact list collection The malware can read the contact list of the infected device and send it to the C2\r\nDevice info\r\ncollection\r\nThe malware can access device related information(SIM, build info, settings) and\r\nsend it to the C2\r\nAccessibility event\r\nlogging\r\nThe malware uses a AccessibilityService to get a stream of events happening on the\r\ndevice and send it to the C2\r\nSMS forwarding\r\nThe malware can forward all incoming SMS messages to a phone number controlled\r\nby actors\r\nSMS listing The malware can access the content of SMS messages and send it to the C2\r\nKeylogging The malware can log victim’s keystrokes and send them to the C2\r\nDynamic overlaying\r\nThe malware can show phishing screens to steal information. Phishing screens are\r\nretrieved from the C2\r\nGustuff.C\r\nName Description\r\nClipboard interaction The malware can extract data from or insert data into the device’s clipboard\r\nApp auto-start at\r\ndevice boot\r\nThe malware starts automatically when the device is turned on or restarted\r\nUpdatable The malware can update itself\r\nEmulation detection The malware can detect whether or not it is running on the real device\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 17 of 23\n\nName Description\r\nApp termination The malware can terminate apps\r\nPreventing removal The malware can prevent it’s removal\r\nHiding the app icon The malware can hide it’s icon from the application drawer\r\nSMS C2 The malware is able to receive commands using incoming text messages\r\nC2 update primary-channelThe malware can update the C2 using a new value/list of values received from the\r\noriginal C2\r\nAlerts The malware can issue Android alerts with arbitrary text\r\nPush notifications The malware can show push notifications\r\nScreen locking The malware can lock the screen of the infected device\r\nAutomated Transfer\r\nSystem\r\nThe malware uses a AccessibilityService to control the infected device and perform\r\nautomated payments using the targeted banking apps\r\nWeb pages The malware can show arbitrary web pages on the infected device\r\nApp removal The malware can remove applications\r\nApp starting The malware can start applications\r\nApp installing The malware can install applications\r\nSMS spamming The malware can perform SMS spam campaigns\r\nSMS sending The malware can send SMS messages\r\nTarget list update Actors can configure targets for overlay phishing attack dynamically\r\nFiles/pictures\r\ncollection\r\nThe malware can access the file system of the infected device and upload it’s content\r\nto the C2\r\nApplication listing The malware can access list of all installed applications and send it to the C2\r\nContact list collection The malware can read the contact list of the infected device and send it to the C2\r\nDevice info\r\ncollection\r\nThe malware can access device related information(SIM, build info, settings) and\r\nsend it to the C2\r\nAccessibility event\r\nlogging\r\nThe malware uses a AccessibilityService to get a stream of events happening on the\r\ndevice and send it to the C2\r\nSMS forwarding\r\nThe malware can forward all incoming SMS messages to a phone number controlled\r\nby actors\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 18 of 23\n\nName Description\r\nSMS listing The malware can access the content of SMS messages and send it to the C2\r\nKeylogging The malware can log victim’s keystrokes and send them to the C2\r\nDynamic overlaying\r\nThe malware can show phishing screens to steal information. Phishing screens are\r\nretrieved from the C2\r\nTargets\r\nAnatsa.A\r\nPackage name\r\ncom.db.pwcc.dbmobile\r\ncom.db.pbc.miabanca\r\nde.fiducia.smartphone.android.banking.vr\r\nes.ibercaja.ibercajaapp\r\ncom.bbva.bbvacontigo\r\ncom.mobileloft.alpha.droid\r\nde.commerzbanking.mobil\r\ncom.cajasur.android\r\nnet.inverline.bancosabadell.officelocator.android\r\nes.lacaixa.mobile.android.newwapicon\r\ncom.rsi\r\neu.unicreditgroup.hvbapptan\r\ncom.binance.dev\r\nes.bancosantander.apps\r\nde.sdvrz.ihb.mobile.secureapp.sparda.produktion\r\npiuk.blockchain.android\r\nde.postbank.finanzassistent\r\nes.openbank.mobile\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 19 of 23\n\nPackage name\r\nes.cm.android\r\nes.liberbank.cajasturapp\r\nde.ingdiba.bankingapp\r\nes.univia.unicajamovil\r\ncom.grupocajamar.wefferent\r\nde.santander.presentation\r\nde.comdirect.android\r\napp.wizink.es\r\ncom.coinbase.android\r\ncom.starfinanz.smob.android.sfinanzstatus\r\ncom.kutxabank.android\r\nvivid.money\r\nde.traktorpool\r\nwww.ingdirect.nativeframe\r\nGustuff.C\r\nPackage name\r\nau.com.bankwest.mobile\r\nau.com.ingdirect.android\r\nau.com.nab.mobile\r\nau.com.suncorp.SuncorpBank\r\nau.com.ubank.internetbanking\r\nbcc.org.freewallet.app\r\nbcn.org.freewallet.app\r\nbtc.org.freewallet.app\r\nbtg.org.freewallet.app\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 20 of 23\n\nPackage name\r\no.edgesecure.app\r\ncom.airbitz\r\ncom.android.vending\r\ncom.anz.android\r\ncom.anz.android.gomoney\r\ncom.arcbit.arcbit\r\ncom.barclays.android.barclaysmobilebanking\r\ncom.barclays.bca\r\ncom.bitcoin.mwallet\r\ncom.bitcoin.wallet\r\ncom.bitpay.copay\r\ncom.bitpay.wallet\r\ncom.bitpie\r\ncom.btcontract.wallet\r\ncom.circle.android\r\ncom.citibank.mobile.au\r\ncom.coinbase.android\r\ncom.coincorner.app.crypt\r\ncom.coinspace.app\r\ncom.commbank.netbank\r\ncom.cooperativebank.bank\r\ncom.grppl.android.shell.BOS\r\ncom.grppl.android.shell.CMBlloydsTSB73\r\ncom.grppl.android.shell.halifax\r\ncom.hashengineering.bitcoincash.wallet\r\ncom.kibou.bitcoin\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 21 of 23\n\nPackage name\r\ncom.kryptokit.jaxx\r\ncom.lloydsbank.businessmobile\r\nсom.moneybookers.skrillpayments\r\ncom.monitise.client.android.yorkshire\r\ncom.nearform.ptsb\r\ncom.plutus.wallet\r\ncom.qcan.mobile.bitcoin.wallet\r\ncom.rbs.mobile.android.natwest\r\ncom.rbs.mobile.android.rbs\r\ncom.westernunion.android.mtapp\r\ncom.wirex\r\ncom.xapo\r\nde.schildbach.wallet_test\r\ndistributedlab.wallet\r\neth.org.freewallet.app\r\nlt.spectrofinance.spectrocoin.android.wallet\r\nme.cryptopay.android\r\nnet.bither\r\norg.banksa.bankß\r\norg.bom.bank\r\norg.electrum.electrum\r\norg.stgeorge.bank\r\norg.vikulin.etherwallet\r\norg.westpac.bank\r\npiuk.blockchain.android\r\ntsb.mobilebanking\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 22 of 23\n\nPackage name\r\nuk.co.hsbc.hsbcukbusinessbanking\r\nuk.co.hsbc.hsbcukmobilebanking\r\nuk.co.mbna.cardservices.android\r\nuk.co.metrobankonline.mobile.android.production\r\nuk.co.santander.businessUK.bb\r\nuk.co.santander.santanderUK\r\nuk.co.tescomobile.android\r\nuk.co.tsb.newmobilebank\r\nSource: https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nhttps://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html\r\nPage 23 of 23", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html" ], "report_names": [ "the-rage-of-android-banking-trojans.html" ], "threat_actors": [ { "id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53", "created_at": "2022-10-25T16:07:24.441133Z", "updated_at": "2026-04-10T02:00:04.993411Z", "deleted_at": null, "main_name": "Achilles", "aliases": [], "source_name": "ETDA:Achilles", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775441444, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/493c4d7c3b0f99b8478fb11aace1bd64d26d4f0c.pdf", "text": "https://archive.orkl.eu/493c4d7c3b0f99b8478fb11aace1bd64d26d4f0c.txt", "img": "https://archive.orkl.eu/493c4d7c3b0f99b8478fb11aace1bd64d26d4f0c.jpg" } }