{
	"id": "866aaa48-e0f5-4865-adb1-a0baf443b3a5",
	"created_at": "2026-04-06T00:14:06.207028Z",
	"updated_at": "2026-04-10T03:30:33.607312Z",
	"deleted_at": null,
	"sha1_hash": "4acd5092ddb32a244bf5cdb46bc0a31096f456a8",
	"title": "Android malware that combines a Banking Trojan, Keylogger, and Ransomware in one package - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 866471,
	"plain_text": "Android malware that combines a Banking Trojan, Keylogger, and\r\nRansomware in one package - Home\r\nBy Gajanan Khond\r\nPublished: 2018-08-17 · Archived: 2026-04-02 11:44:54 UTC\r\nThis malware has all basic functionalities of the Android banker along with additional features like call\r\nforwarding, sound recording, keylogging and ransomware activities. It has the ability to launch user’s browser\r\nwith URL received from the C\u0026C server.\r\nIt repeatedly opens the accessibility setting page until the user switches ON the ‘AccessibilityService’. The\r\nAccessibilityService allowing the Trojan to enable and abuse any required permission without user concern.\r\nFig.1 Malicious app icon and accessibility setting page opened by malware\r\nOverlays on targeted Apps\r\nAfter launching one of the targeted application, the Trojan displays an overlay phishing login form of confidential\r\ninformation over its window where it asks the user to enter a username, password, and other sensitive data.\r\nFollowing are some overlays displayed by Trojan :\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 1 of 20\n\nFig.2 Overlay on banking Apps\r\nFig.3 Overlay on Play store and zebpay\r\nCommands and respective features are shown in below table\r\nThe malware performs activity according to commands received from the C\u0026C server. Following list shows the\r\ncommands used by the malware-Commands Meaning\r\nSend_GO_SMS Send SMS from the infected device\r\nnymBePsG0 Upload all numbers from the phone book to C\u0026C server\r\nGetSWSGO Upload all SMS to C\u0026C server\r\ntelbookgotext Send the SMS to all numbers saved in the infected device\r\ngetapps Upload the list of all installed applications\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 2 of 20\n\nALERT Show alert whose contents are specified in the command\r\nPUSH show notification whose contents are specified in the command\r\nstartAutoPush Show notification whose contents are set in the Trojan’s code\r\nussd Calls a USSD number from the infected device\r\nsockshost Start Server Socket\r\nstopsocks5 Stop Server Socket\r\nrecordsound Start record sound\r\nreplaceurl Replace URL Panel\r\nstartapplication Start application specified in the commands\r\nkillBot Clear the C\u0026C server address\r\ngetkeylogger Upload keystrokes logs on the server\r\nstartrat Start Remote Administration Tool\r\nstartforward Start call forwarding to the number specified in the commands\r\nstopforward Stop call forwarding\r\nopenbrowser Open URL in the browser\r\nopenactivity Open URL in WebView\r\ncryptokey Encrypts all files\r\ndecryptokey Decrypts all files\r\nTechnical analysis\r\nThe main APK file is highly obfuscated and all strings are encrypted. It also contains the extra junk code to make\r\nit difficult for reverse engineering. The main APK contains ‘image/files’ encrypted file. The ‘image/files’ file is\r\ndecrypted at runtime and drops another file ‘app_files\\driqoy.jar’. Further malicious activities are performed by\r\nthat file.\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 3 of 20\n\nFig.4 The main APK file code\r\nFake alert to disable Google Play protect service\r\nIt checks whether a user’s Google Play protection service is ON or OFF. If it is ON then it displays the fake alert\r\nto disable it with the message”The system does not work correctly, disable Google Play Protect!”\r\nFig.5 Fake alert to disable google play protect service\r\nPrevent from uninstalling the malicious App\r\nIf user goes to uninstall the application from the setting then malware shows the alert with “System Error 495”\r\nmessage.\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 4 of 20\n\nFig.6 Fake alert code\r\n                                                                     \r\nFig.7 The fake alert when user tries to uninstall\r\nUsed Twitter for malicious purpose\r\nThe malware author uses the Twitter to get C\u0026C server address. The malware takes the encrypted server address\r\nfrom the specified Twitter account that starts with \u003czero\u003e and ends with \u003c/zero\u003e.\r\nTwitter accounts used in this malware are “hxxps://twitter.com/KeremTu81270252” and\r\n“hxxps://twitter.com/JackCorne”.\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 5 of 20\n\nFig.8 Code to take server address from twitter\r\nFig.9 Tweet on the specified account\r\nIt Encrypts and Decrypts the files\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 6 of 20\n\nWhenever the client receives a command “cryptokey” from the server, it encrypts all the files. All the encrypted\r\nfiles are renamed with the extension “.AnubisCrypt”. It deletes all the original files whereas when the client\r\nreceives a command “decryptokey” from the server, it decrypts all files.\r\nFig.10 Code for files Encryption and Decryption\r\nAfter it encrypts all the files it shows the ransom screen. It blocks the screen of the device by Window WebView,\r\nwhich shows the content received from the server. Below Fig. shows the htmllocker code which is received from\r\nthe server.\r\nFig.11 HTML locker code\r\nQuick Heal detection\r\nQuick Heal successfully detects this Android Trojan as Android.Banker.L\r\nIndicator of compromise\r\nApp Name: sistemguncelle\r\nPackage name: com.qvgstiwjsndr.jktqnsyc\r\nMD5: b0ff12e875d1c32bd05dde6bb34e9805\r\nSize: 344 KB\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 7 of 20\n\nApp Name: Adobe Flash Player\r\nPackage name: com.fzuhnorsz.xgvmhdztawmg\r\nMD5: bc53a5857b1e29bef175d64fbec0c186\r\nSize: 383 KB\r\nTargeted Apps\r\ncom.csam.icici.bank.imobile\r\ncom.snapwork.hdfc\r\nhdfcbank.hdfcquickbank\r\ncom.sbi.SBIFreedomPlus\r\ncom.axis.mobile\r\norg.bom.bank\r\ncom.idbi.mpassbook\r\ncom.amazon.mShop.android.shopping\r\ncom.paypal.android.p2pmobile\r\ncom.mobikwik_new\r\ncom.ebay.mobile\r\nzebpay.Application\r\npl.ideabank.mobilebanking\r\nwos.com.zebpay\r\nat.easybank.mbanking\r\nat.bawag.mbanking\r\ncom.idbibank.abhay_card\r\nsrc.com.idbi\r\ncom.citibank.mobile.au\r\ncom.citibank.mobile.uk\r\nru.sberbank.mobileoffice\r\ncom.grppl.android.shell.BOS\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 8 of 20\n\nru.sberbank.spasibo\r\ncom.bitcoin.ss.zebpayindia\r\ncom.comarch.security.mobilebanking\r\npl.pkobp.ipkobiznes\r\ncom.coins.ful.bit\r\ncom.bbva.bbvacontigo\r\ncom.quickmobile.anzirevents15\r\ncom.bankinter.launcher\r\ncom.scotiabank.mobile\r\npl.ing.mojeing\r\ncom.portfolio.coinbase_tracker\r\ncom.oxigen.oxigenwallet\r\nfinansbank.enpara.sirketim\r\nau.com.ingdirect.android\r\ncom.fusion.ATMLocator\r\nde.comdirect.android\r\nde.fiducia.smartphone.android.banking.vr\r\ncom.usbank.mobilebanking\r\ncom.phyder.engage\r\npl.allegro\r\ncom.isis_papyrus.raiffeisen_pay_eyewdg\r\ncom.vakifbank.mobile\r\ncom.empik.empikapp\r\ncom.crypter.cryptocyrrency\r\nes.bancosantander.apps\r\ncom.localbitcoins.exchange\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 9 of 20\n\ncom.garanti.cepbank\r\ncom.commbank.netbank\r\ncom.cibc.android.mobi\r\nccom.tmob.denizbank\r\ntr.com.sekerbilisim.mbank\r\ncom.barclays.android.barclaysmobilebanking\r\ncom.thunkable.android.santoshmehta364.UNOCOIN_LIVE\r\ncom.rbs.mobile.investisir\r\ninfo.blockchain.merchant\r\ncom.coins.bit.local\r\npl.millennium.corpApp\r\ncom.yinzcam.facilities.verizon\r\norg.banksa.bank\r\nit.volksbank.android\r\ncom.ziraat.ziraatmobil\r\npl.bph\r\nme.doubledutch.hvdnz.cbnationalconference2016\r\nwit.android.bcpBankingApp.millenniumPL\r\ncom.imb.banking2\r\ncom.unionbank.ecommerce.mobile.commercial.legacy\r\neu.eleader.mobilebanking.pekao\r\ncom.dbs.hk.dbsmbanking\r\nru.alfabank.oavdo.amc\r\nnz.co.bnz.droidbanking\r\ncom.kutxabank.android\r\ncom.clairmail.fth\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 10 of 20\n\nmay.maybank.android\r\njp.co.aeonbank.android.passbook\r\neu.inmite.prj.kb.mobilbank\r\ncz.sberbankcz\r\nfr.banquepopulaire.cyberplus\r\npl.mbank\r\ncom.idamob.tinkoff.android\r\npl.fmbank.smart\r\ncom.scb.breezebanking.hk\r\npl.ceneo\r\npl.bzwbk.ibiznes24\r\neu.newfrontier.iBanking.mobile.Halk.Retail\r\ncom.bankofamerica.cashpromobile\r\ncom.magiclick.odeabank\r\ncom.akbank.android.apps.akbank_direkt_tablet_20\r\nhr.asseco.android.jimba.mUCI.ro\r\nat.psa.app.bawag\r\ncom.starfinanz.smob.android.sfinanzstatus\r\ncom.cleverlance.csas.servis24\r\ncom.DijitalSahne.EnYakinHalkbank\r\ncom.bawagpsk.securityapp\r\nin.co.bankofbaroda.mpassbook\r\ncom.ifs.banking.fiid4202\r\ncom.usaa.mobile.android.usaa\r\nau.com.mebank.banking\r\nnz.co.anz.android.mobilebanking\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 11 of 20\n\ncom.citi.citimobile\r\nfr.lcl.android.customerarea\r\ncom.rbs.mobile.android.natwest\r\nru.sberbank.sberbankir\r\ncom.akbank.android.apps.akbank_direkt_tablet\r\nhk.com.hsbc.hsbchkmobilebanking\r\ncom.pozitron.vakifbank\r\nit.secservizi.mobile.atime.bpaa\r\nru.alfabank.mobile.android\r\nde.schildbach.wallet\r\njp.co.rakuten_bank.rakutenbank\r\ncom.htsu.hsbcpersonalbanking\r\npl.orange.mojeorange\r\ncom.garanti.cepsubesi\r\ncom.anz.android\r\ncom.bmo.mobile\r\ncom.matriksmobile.android.ziraatTrader\r\ncom.magiclick.FinansPOS\r\nsk.sporoapps.accounts\r\nru.bm.mbm\r\npl.bzwbk.bzwbk24\r\ncom.tmob.tabletdeniz\r\npl.bzwbk.mobile.tab.bzwbk24\r\ncom.grppl.android.shell.CMBlloydsTSB73\r\ncom.matriksdata.finansyatirim\r\nat.spardat.netbanking\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 12 of 20\n\nru.alfabank.sense\r\ncom.ing.diba.mbbr2\r\ncom.blockfolio.blockfolio\r\nat.easybank.securityapp\r\ncom.getingroup.mobilebanking\r\ncom.ideomobile.hapoalim\r\ncom.moneybookers.skrillpayments.neteller\r\ncom.bbva.netcash\r\ncom.coin.profit\r\ncom.db.mm.deutschebank\r\njp.co.netbk\r\ncom.mtel.androidbea\r\ncom.caisseepargne.android.mobilebanking\r\nfr.axa.monaxa\r\nfr.laposte.lapostetablet\r\ncom.bankaustria.android.olb\r\ncom.cba.android.netbank\r\ncom.binance.odapplications\r\ncom.anzspot.mobile\r\norg.westpac.banknz.co.westpac\r\ncom.cm_prod.epasal\r\njp.mufg.bk.applisp.app\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.empik.empikfoto\r\nsk.sporoapps.skener\r\ncom.rbc.mobile.android\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 13 of 20\n\ncom.tecnocom.cajalaboral\r\nru.vtb24.mobilebanking.android\r\nau.com.bankwest.mobile\r\nnz.co.kiwibank.mobile\r\ncz.airbank.android\r\ncom.grppl.android.shell.halifax\r\ncom.fragment.akbank\r\njp.co.smbc.direct\r\ncom.pozitron.albarakaturk\r\ncom.barclays.ke.mobile.android.ui\r\nro.btrl.mobile\r\ncom.kuveytturk.mobil\r\ncom.edsoftapps.mycoinsvalue\r\nru.sberbankmobile\r\ncom.moneybookers.skrillpayments\r\ncom.bssys.VTBClient\r\ncom.rbs.mobile.android.natwestoffshore\r\npl.com.rossmann.centauros\r\nau.com.suncorp.SuncorpBank\r\ncom.cm_prod.bad\r\nfr.creditagricole.androidapp\r\ncom.jackpf.blockchainsearch\r\ncom.ykb.android\r\ncom.finanteq.finance.ca\r\ncom.rbs.mobile.android.rbs\r\nde.postbank.finanzassistent\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 14 of 20\n\ncom.binance.dev\r\neu.eleader.mobilebanking.raiffeisen\r\npl.pkobp.iko\r\ncom.btcturk\r\ncom.rbs.mobile.android.rbsbandc\r\ncom.pozitron.iscep\r\ncom.localbitcoinsmbapp\r\ncom.ing.mobile\r\ncom.ziraat.ziraattablet\r\ncom.bankia.wallet\r\ncom.anz.SingaporeDigitalBanking\r\ncom.crowdcompass.appSQ0QACAcYJ\r\nde.fiducia.smartphone.android.securego.vr\r\npl.bps.bankowoscmobilna\r\ncom.anz.android.gomoney\r\nat.easybank.tablet\r\npl.bosbank.mobile\r\ncom.ykb.android.mobilonay\r\nmobi.societegenerale.mobile.lappli\r\nnz.co.westpac\r\nes.cm.android.tablet\r\ncom.boursorama.android.clients\r\nfinansbank.enpara\r\ncom.wf.wellsfargomobile.tablet\r\ncom.teb\r\ncom.garantibank.cepsubesiro\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 15 of 20\n\ncom.unocoin.unocoinwallet\r\ncom.arubanetworks.atmanz\r\nat.volksbank.volksbankmobile\r\ncom.starfinanz.mobile.android.pushtan\r\ncom.rsi\r\ncom.konylabs.capitalone\r\ncom.amazon.windowshop\r\nde.commerzbanking.mobil\r\nes.lacaixa.mobile.android.newwapicon\r\ncom.unionbank.ecommerce.mobile.android\r\ncom.aff.otpdirekt\r\nru.tcsbank.c2c\r\ncom.orangefinanse\r\nuk.co.bankofscotland.businessbank\r\norg.stgeorge.bank\r\ncom.finansbank.mobile.cepsube\r\npiuk.blockchain.android\r\nfr.laposte.lapostemobile\r\nru.mw\r\ncom.infrasofttech.indianBank\r\nde.dkb.portalapp\r\ncom.matriksdata.ziraatyatirim.pad\r\nio.getdelta.android\r\nmobile.santander.de\r\ncom.bbva.bbvawallet\r\ncom.cm_prod.nosactus\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 16 of 20\n\nalior.bankingapp.android\r\ncom.fi6122.godough\r\ncom.wellsFargo.ceomobile\r\ncom.ykb.androidtablet\r\ncom.vakifbank.mobilel\r\ncom.entersekt.authapp.sparkasse\r\ncom.rbs.mobile.android.natwestbandc\r\ncom.td\r\ncom.kryptokit.jaxx\r\ncom.bankofqueensland.boq\r\ntr.com.tradesoft.tradingsystem.gtpmobile.halk\r\ncom.mobillium.papara\r\ncom.vipera.ts.starter.QNB\r\ncom.orangefinansek\r\ncom.monitise.isbankmoscow\r\nau.com.newcastlepermanent\r\ncom.tmobtech.halkbank\r\ncom.snapwork.IDBI\r\ncz.csob.smartbanking\r\ncom.coinbase.android\r\nes.cm.android\r\norg.westpac.bank\r\ncom.MobileTreeApp\r\nau.com.nab.mobile\r\nau.com.cua.mb\r\ncom.yurtdisi.iscep\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 17 of 20\n\nes.bancopopular.nbmpopular\r\ncom.rbs.mobile.android.ubr\r\ncom.garantiyatirim.fx\r\ncom.vtb.mobilebank\r\ncom.bendigobank.mobile\r\ncom.softtech.isbankasi\r\ncom.thunkable.android.manirana54.LocalBitCoins\r\nde.consorsbank\r\npl.aliorbank.aib\r\ncom.palatine.android.mobilebanking.prod\r\nes.evobanco.bancamovil\r\nru.tinkoff.sme\r\ncom.comarch.mobile.banking.bgzbnpparibas.biznes\r\ncom.de.dkb.portalapp\r\ncom.advantage.RaiffeisenBank\r\ncom.tmob.denizbank\r\ncom.thunkable.android.manirana54.LocalBitCoins_unblock\r\ncom.FubonMobileClient\r\neu.eleader.mobilebanking.pekao.firm\r\ncom.mal.saul.coinmarketcap\r\nru.tinkoff.goabroad\r\nru.alfadirect.app\r\ncom.SifrebazCep\r\ncom.sovereign.santander\r\ncom.infonow.bofa\r\ncom.softtech.iscek\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 18 of 20\n\nuk.co.santander.businessUK.bb\r\neu.eleader.mobilebanking.invest\r\nnet.bnpparibas.mescomptes\r\ncom.akbank.softotp\r\ncom.redrockdigimark\r\ncom.unocoin.unocoinmerchantPoS\r\ncom.hangseng.rbmobile\r\nMyING.be\r\ncom.cm_prod_tablet.bad\r\ncom.bssys.vtb.mobileclient\r\nru.tinkoff.mgp\r\ncom.ykb.avm\r\npl.ipko.mobile\r\njp.co.sevenbank.AppPassbook\r\ncom.jamalabbasii1998.localbitcoin\r\nat.spardat.bcrmobile\r\ncom.veripark.ykbaz\r\nuk.co.santander.santanderUK\r\ncom.wf.wellsfargomobile\r\nru.sberbank_sbbol\r\ncom.starfinanz.smob.android.sfinanzstatus.tablet\r\ncom.chase.sig.android\r\nnz.co.asb.asbmobile\r\nbiz.mobinex.android.apps.cep_sifrematik\r\ncom.tnx.apps.coinportfolio\r\ncom.santander.app\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 19 of 20\n\nby.st.alfa\r\ncom.starfinanz.smob.android.sbanking\r\ncom.suntrust.mobilebanking\r\nConclusion\r\nFor Android version 7 and 8, previously used overlay techniques were rendered inaccessible, but malware authors\r\nfind a new way to use overlays in their banking malware. The implementation of the overlay attack abuses the\r\nUsage Access permission in order to run on all versions of the Android operating system including the latest\r\nAndroid 7 and 8.\r\nTips to stay safe from Android Trojans\r\nAvoid downloading apps from third-party app stores or links provided in SMSsor emails.\r\nAlways keep ‘Unknown Sources’ disabled. Enabling this option allows installation of apps from unknown\r\nsources.\r\nMost importantly, verify app permissions before installing any app even from official stores such as\r\nGoogle Play.\r\nInstall a reliable mobile security app that can detect and block fake and malicious apps before they can\r\ninfect your device.\r\nAlways keep your device OS and mobile security app up-to-date.\r\nSource: https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nhttps://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/"
	],
	"report_names": [
		"android-malware-combines-banking-trojan-keylogger-ransomware-one-package"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434446,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4acd5092ddb32a244bf5cdb46bc0a31096f456a8.pdf",
		"text": "https://archive.orkl.eu/4acd5092ddb32a244bf5cdb46bc0a31096f456a8.txt",
		"img": "https://archive.orkl.eu/4acd5092ddb32a244bf5cdb46bc0a31096f456a8.jpg"
	}
}