Android malware that combines a Banking Trojan, Keylogger, and
Ransomware in one package - Home
By Gajanan Khond
Published: 2018-08-17 · Archived: 2026-04-02 11:44:54 UTC
This malware has all basic functionalities of the Android banker along with additional features like call
forwarding, sound recording, keylogging and ransomware activities. It has the ability to launch user’s browser
with URL received from the C&C server.
It repeatedly opens the accessibility setting page until the user switches ON the ‘AccessibilityService’. The
AccessibilityService allowing the Trojan to enable and abuse any required permission without user concern.
Fig.1 Malicious app icon and accessibility setting page opened by malware
Overlays on targeted Apps
After launching one of the targeted application, the Trojan displays an overlay phishing login form of confidential
information over its window where it asks the user to enter a username, password, and other sensitive data.
Following are some overlays displayed by Trojan :
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 1 of 20

Fig.2 Overlay on banking Apps
Fig.3 Overlay on Play store and zebpay
Commands and respective features are shown in below table
The malware performs activity according to commands received from the C&C server. Following list shows the
commands used by the malware-Commands Meaning
Send_GO_SMS Send SMS from the infected device
nymBePsG0 Upload all numbers from the phone book to C&C server
GetSWSGO Upload all SMS to C&C server
telbookgotext Send the SMS to all numbers saved in the infected device
getapps Upload the list of all installed applications
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 2 of 20

ALERT Show alert whose contents are specified in the command
PUSH show notification whose contents are specified in the command
startAutoPush Show notification whose contents are set in the Trojan’s code
ussd Calls a USSD number from the infected device
sockshost Start Server Socket
stopsocks5 Stop Server Socket
recordsound Start record sound
replaceurl Replace URL Panel
startapplication Start application specified in the commands
killBot Clear the C&C server address
getkeylogger Upload keystrokes logs on the server
startrat Start Remote Administration Tool
startforward Start call forwarding to the number specified in the commands
stopforward Stop call forwarding
openbrowser Open URL in the browser
openactivity Open URL in WebView
cryptokey Encrypts all files
decryptokey Decrypts all files
Technical analysis
The main APK file is highly obfuscated and all strings are encrypted. It also contains the extra junk code to make
it difficult for reverse engineering. The main APK contains ‘image/files’ encrypted file. The ‘image/files’ file is
decrypted at runtime and drops another file ‘app_files\driqoy.jar’. Further malicious activities are performed by
that file.
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 3 of 20

Fig.4 The main APK file code
Fake alert to disable Google Play protect service
It checks whether a user’s Google Play protection service is ON or OFF. If it is ON then it displays the fake alert
to disable it with the message”The system does not work correctly, disable Google Play Protect!”
Fig.5 Fake alert to disable google play protect service
Prevent from uninstalling the malicious App
If user goes to uninstall the application from the setting then malware shows the alert with “System Error 495”
message.
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 4 of 20

Fig.6 Fake alert code
                                                                     
Fig.7 The fake alert when user tries to uninstall
Used Twitter for malicious purpose
The malware author uses the Twitter to get C&C server address. The malware takes the encrypted server address
from the specified Twitter account that starts with <zero> and ends with </zero>.
Twitter accounts used in this malware are “hxxps://twitter.com/KeremTu81270252” and
“hxxps://twitter.com/JackCorne”.
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 5 of 20

Fig.8 Code to take server address from twitter
Fig.9 Tweet on the specified account
It Encrypts and Decrypts the files
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 6 of 20

Whenever the client receives a command “cryptokey” from the server, it encrypts all the files. All the encrypted
files are renamed with the extension “.AnubisCrypt”. It deletes all the original files whereas when the client
receives a command “decryptokey” from the server, it decrypts all files.
Fig.10 Code for files Encryption and Decryption
After it encrypts all the files it shows the ransom screen. It blocks the screen of the device by Window WebView,
which shows the content received from the server. Below Fig. shows the htmllocker code which is received from
the server.
Fig.11 HTML locker code
Quick Heal detection
Quick Heal successfully detects this Android Trojan as Android.Banker.L
Indicator of compromise
App Name: sistemguncelle
Package name: com.qvgstiwjsndr.jktqnsyc
MD5: b0ff12e875d1c32bd05dde6bb34e9805
Size: 344 KB
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 7 of 20

App Name: Adobe Flash Player
Package name: com.fzuhnorsz.xgvmhdztawmg
MD5: bc53a5857b1e29bef175d64fbec0c186
Size: 383 KB
Targeted Apps
com.csam.icici.bank.imobile
com.snapwork.hdfc
hdfcbank.hdfcquickbank
com.sbi.SBIFreedomPlus
com.axis.mobile
org.bom.bank
com.idbi.mpassbook
com.amazon.mShop.android.shopping
com.paypal.android.p2pmobile
com.mobikwik_new
com.ebay.mobile
zebpay.Application
pl.ideabank.mobilebanking
wos.com.zebpay
at.easybank.mbanking
at.bawag.mbanking
com.idbibank.abhay_card
src.com.idbi
com.citibank.mobile.au
com.citibank.mobile.uk
ru.sberbank.mobileoffice
com.grppl.android.shell.BOS
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 8 of 20

ru.sberbank.spasibo
com.bitcoin.ss.zebpayindia
com.comarch.security.mobilebanking
pl.pkobp.ipkobiznes
com.coins.ful.bit
com.bbva.bbvacontigo
com.quickmobile.anzirevents15
com.bankinter.launcher
com.scotiabank.mobile
pl.ing.mojeing
com.portfolio.coinbase_tracker
com.oxigen.oxigenwallet
finansbank.enpara.sirketim
au.com.ingdirect.android
com.fusion.ATMLocator
de.comdirect.android
de.fiducia.smartphone.android.banking.vr
com.usbank.mobilebanking
com.phyder.engage
pl.allegro
com.isis_papyrus.raiffeisen_pay_eyewdg
com.vakifbank.mobile
com.empik.empikapp
com.crypter.cryptocyrrency
es.bancosantander.apps
com.localbitcoins.exchange
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 9 of 20

com.garanti.cepbank
com.commbank.netbank
com.cibc.android.mobi
ccom.tmob.denizbank
tr.com.sekerbilisim.mbank
com.barclays.android.barclaysmobilebanking
com.thunkable.android.santoshmehta364.UNOCOIN_LIVE
com.rbs.mobile.investisir
info.blockchain.merchant
com.coins.bit.local
pl.millennium.corpApp
com.yinzcam.facilities.verizon
org.banksa.bank
it.volksbank.android
com.ziraat.ziraatmobil
pl.bph
me.doubledutch.hvdnz.cbnationalconference2016
wit.android.bcpBankingApp.millenniumPL
com.imb.banking2
com.unionbank.ecommerce.mobile.commercial.legacy
eu.eleader.mobilebanking.pekao
com.dbs.hk.dbsmbanking
ru.alfabank.oavdo.amc
nz.co.bnz.droidbanking
com.kutxabank.android
com.clairmail.fth
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 10 of 20

may.maybank.android
jp.co.aeonbank.android.passbook
eu.inmite.prj.kb.mobilbank
cz.sberbankcz
fr.banquepopulaire.cyberplus
pl.mbank
com.idamob.tinkoff.android
pl.fmbank.smart
com.scb.breezebanking.hk
pl.ceneo
pl.bzwbk.ibiznes24
eu.newfrontier.iBanking.mobile.Halk.Retail
com.bankofamerica.cashpromobile
com.magiclick.odeabank
com.akbank.android.apps.akbank_direkt_tablet_20
hr.asseco.android.jimba.mUCI.ro
at.psa.app.bawag
com.starfinanz.smob.android.sfinanzstatus
com.cleverlance.csas.servis24
com.DijitalSahne.EnYakinHalkbank
com.bawagpsk.securityapp
in.co.bankofbaroda.mpassbook
com.ifs.banking.fiid4202
com.usaa.mobile.android.usaa
au.com.mebank.banking
nz.co.anz.android.mobilebanking
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 11 of 20

com.citi.citimobile
fr.lcl.android.customerarea
com.rbs.mobile.android.natwest
ru.sberbank.sberbankir
com.akbank.android.apps.akbank_direkt_tablet
hk.com.hsbc.hsbchkmobilebanking
com.pozitron.vakifbank
it.secservizi.mobile.atime.bpaa
ru.alfabank.mobile.android
de.schildbach.wallet
jp.co.rakuten_bank.rakutenbank
com.htsu.hsbcpersonalbanking
pl.orange.mojeorange
com.garanti.cepsubesi
com.anz.android
com.bmo.mobile
com.matriksmobile.android.ziraatTrader
com.magiclick.FinansPOS
sk.sporoapps.accounts
ru.bm.mbm
pl.bzwbk.bzwbk24
com.tmob.tabletdeniz
pl.bzwbk.mobile.tab.bzwbk24
com.grppl.android.shell.CMBlloydsTSB73
com.matriksdata.finansyatirim
at.spardat.netbanking
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 12 of 20

ru.alfabank.sense
com.ing.diba.mbbr2
com.blockfolio.blockfolio
at.easybank.securityapp
com.getingroup.mobilebanking
com.ideomobile.hapoalim
com.moneybookers.skrillpayments.neteller
com.bbva.netcash
com.coin.profit
com.db.mm.deutschebank
jp.co.netbk
com.mtel.androidbea
com.caisseepargne.android.mobilebanking
fr.axa.monaxa
fr.laposte.lapostetablet
com.bankaustria.android.olb
com.cba.android.netbank
com.binance.odapplications
com.anzspot.mobile
org.westpac.banknz.co.westpac
com.cm_prod.epasal
jp.mufg.bk.applisp.app
com.akbank.android.apps.akbank_direkt
com.empik.empikfoto
sk.sporoapps.skener
com.rbc.mobile.android
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 13 of 20

com.tecnocom.cajalaboral
ru.vtb24.mobilebanking.android
au.com.bankwest.mobile
nz.co.kiwibank.mobile
cz.airbank.android
com.grppl.android.shell.halifax
com.fragment.akbank
jp.co.smbc.direct
com.pozitron.albarakaturk
com.barclays.ke.mobile.android.ui
ro.btrl.mobile
com.kuveytturk.mobil
com.edsoftapps.mycoinsvalue
ru.sberbankmobile
com.moneybookers.skrillpayments
com.bssys.VTBClient
com.rbs.mobile.android.natwestoffshore
pl.com.rossmann.centauros
au.com.suncorp.SuncorpBank
com.cm_prod.bad
fr.creditagricole.androidapp
com.jackpf.blockchainsearch
com.ykb.android
com.finanteq.finance.ca
com.rbs.mobile.android.rbs
de.postbank.finanzassistent
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 14 of 20

com.binance.dev
eu.eleader.mobilebanking.raiffeisen
pl.pkobp.iko
com.btcturk
com.rbs.mobile.android.rbsbandc
com.pozitron.iscep
com.localbitcoinsmbapp
com.ing.mobile
com.ziraat.ziraattablet
com.bankia.wallet
com.anz.SingaporeDigitalBanking
com.crowdcompass.appSQ0QACAcYJ
de.fiducia.smartphone.android.securego.vr
pl.bps.bankowoscmobilna
com.anz.android.gomoney
at.easybank.tablet
pl.bosbank.mobile
com.ykb.android.mobilonay
mobi.societegenerale.mobile.lappli
nz.co.westpac
es.cm.android.tablet
com.boursorama.android.clients
finansbank.enpara
com.wf.wellsfargomobile.tablet
com.teb
com.garantibank.cepsubesiro
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 15 of 20

com.unocoin.unocoinwallet
com.arubanetworks.atmanz
at.volksbank.volksbankmobile
com.starfinanz.mobile.android.pushtan
com.rsi
com.konylabs.capitalone
com.amazon.windowshop
de.commerzbanking.mobil
es.lacaixa.mobile.android.newwapicon
com.unionbank.ecommerce.mobile.android
com.aff.otpdirekt
ru.tcsbank.c2c
com.orangefinanse
uk.co.bankofscotland.businessbank
org.stgeorge.bank
com.finansbank.mobile.cepsube
piuk.blockchain.android
fr.laposte.lapostemobile
ru.mw
com.infrasofttech.indianBank
de.dkb.portalapp
com.matriksdata.ziraatyatirim.pad
io.getdelta.android
mobile.santander.de
com.bbva.bbvawallet
com.cm_prod.nosactus
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 16 of 20

alior.bankingapp.android
com.fi6122.godough
com.wellsFargo.ceomobile
com.ykb.androidtablet
com.vakifbank.mobilel
com.entersekt.authapp.sparkasse
com.rbs.mobile.android.natwestbandc
com.td
com.kryptokit.jaxx
com.bankofqueensland.boq
tr.com.tradesoft.tradingsystem.gtpmobile.halk
com.mobillium.papara
com.vipera.ts.starter.QNB
com.orangefinansek
com.monitise.isbankmoscow
au.com.newcastlepermanent
com.tmobtech.halkbank
com.snapwork.IDBI
cz.csob.smartbanking
com.coinbase.android
es.cm.android
org.westpac.bank
com.MobileTreeApp
au.com.nab.mobile
au.com.cua.mb
com.yurtdisi.iscep
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 17 of 20

es.bancopopular.nbmpopular
com.rbs.mobile.android.ubr
com.garantiyatirim.fx
com.vtb.mobilebank
com.bendigobank.mobile
com.softtech.isbankasi
com.thunkable.android.manirana54.LocalBitCoins
de.consorsbank
pl.aliorbank.aib
com.palatine.android.mobilebanking.prod
es.evobanco.bancamovil
ru.tinkoff.sme
com.comarch.mobile.banking.bgzbnpparibas.biznes
com.de.dkb.portalapp
com.advantage.RaiffeisenBank
com.tmob.denizbank
com.thunkable.android.manirana54.LocalBitCoins_unblock
com.FubonMobileClient
eu.eleader.mobilebanking.pekao.firm
com.mal.saul.coinmarketcap
ru.tinkoff.goabroad
ru.alfadirect.app
com.SifrebazCep
com.sovereign.santander
com.infonow.bofa
com.softtech.iscek
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 18 of 20

uk.co.santander.businessUK.bb
eu.eleader.mobilebanking.invest
net.bnpparibas.mescomptes
com.akbank.softotp
com.redrockdigimark
com.unocoin.unocoinmerchantPoS
com.hangseng.rbmobile
MyING.be
com.cm_prod_tablet.bad
com.bssys.vtb.mobileclient
ru.tinkoff.mgp
com.ykb.avm
pl.ipko.mobile
jp.co.sevenbank.AppPassbook
com.jamalabbasii1998.localbitcoin
at.spardat.bcrmobile
com.veripark.ykbaz
uk.co.santander.santanderUK
com.wf.wellsfargomobile
ru.sberbank_sbbol
com.starfinanz.smob.android.sfinanzstatus.tablet
com.chase.sig.android
nz.co.asb.asbmobile
biz.mobinex.android.apps.cep_sifrematik
com.tnx.apps.coinportfolio
com.santander.app
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 19 of 20

by.st.alfa
com.starfinanz.smob.android.sbanking
com.suntrust.mobilebanking
Conclusion
For Android version 7 and 8, previously used overlay techniques were rendered inaccessible, but malware authors
find a new way to use overlays in their banking malware. The implementation of the overlay attack abuses the
Usage Access permission in order to run on all versions of the Android operating system including the latest
Android 7 and 8.
Tips to stay safe from Android Trojans
Avoid downloading apps from third-party app stores or links provided in SMSsor emails.
Always keep ‘Unknown Sources’ disabled. Enabling this option allows installation of apps from unknown
sources.
Most importantly, verify app permissions before installing any app even from official stores such as
Google Play.
Install a reliable mobile security app that can detect and block fake and malicious apps before they can
infect your device.
Always keep your device OS and mobile security app up-to-date.
Source: https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
https://blogs.quickheal.com/android-malware-combines-banking-trojan-keylogger-ransomware-one-package/
Page 20 of 20