{
	"id": "15e2d1ec-e5de-49b6-97fc-c91f4ca4aba9",
	"created_at": "2026-04-06T00:12:07.423459Z",
	"updated_at": "2026-04-10T13:11:43.253827Z",
	"deleted_at": null,
	"sha1_hash": "5211b2269e62bf8403615aeb3adce5e018b23fba",
	"title": "Released Android malware source code used to run a banking botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3478742,
	"plain_text": "Released Android malware source code used to run a banking\r\nbotnet\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 19:13:32 UTC\r\nUpdate (February 23rd): Following ESET’s notice, the hosting company took the C\u0026C server down.\r\nThe new Android banking malware ESET recently discovered on Google Play was spotted in the wild again,\r\ntargeting more banks. Further investigation of this resurfacing threat has uncovered its code was built using source\r\ncode that was made public a couple of months ago.\r\nThe previous version was detected by ESET as Trojan.Android/Spy.Banker.HU (version 1.1 – as marked by its\r\nauthor in the source code) and reported on February 6th. The malware was distributed via Google Play as a\r\ntrojanized version of a legitimate weather forecast application Good Weather. The trojan targeted 22 Turkish\r\nmobile banking apps, attempting to harvest credentials using phony login forms. Moreover, it could lock and\r\nunlock infected devices remotely, as well as intercept text messages.\r\nLast Sunday, we discovered a new version of the trojan on Google Play, masquerading as yet another legitimate\r\nweather app, this time World Weather. The trojan, detected by ESET as Trojan.Android/Spy.Banker.HW (version\r\n1.2), was available in the Google Play store from February 14th until being reported by ESET and pulled from the\r\nstore on February 20th.\r\nConnecting the dots\r\nThe second discovery led to another round of investigation, which delivered some interesting revelations.\r\nAs it turns out, both of these Android trojans are based on a free source code that was made public online.\r\nAllegedly written from scratch, the “template” code of the Android malware, along with the code of the C\u0026C\r\nserver – including a web control panel – have been available on a Russian forum since December 19th, 2016.\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 1 of 15\n\nFigure 1 - Source code of the Android malware and of the C\u0026C made public on a Russian forum\r\nSubsequent investigation brought findings of Dr. Web to our attention , who analyzed one of the earlier variants of\r\nthe malware (detected by our systems since December 26th, 2016 as Android/Spy.Banker.HH).\r\nHowever, this variant is not directly connected to those we found on Google Play, even though we detected it\r\nunder the same detection name as version 1.0. We were able to confirm this after getting access to the control\r\npanel of the botnet’s C\u0026C server, which was up and running at the time of our investigation. Through the control\r\npanel, we were able to collect information about malware versions of all of the 2800+ infected bots.\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 2 of 15\n\nFigure 2 – C\u0026C web control panel listing victims of the malware\r\nBelow is an overview of user groups affected by the malware, based on the botnet data listed in the C\u0026C control\r\npanel:\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 3 of 15\n\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 4 of 15\n\nInterestingly enough, the C\u0026C server itself, active since February 2, 2017, has been left accessible to whomever\r\nhas the URL, without requiring any credentials. \r\nFigure 3 - Investigation timeline\r\nHow does it operate?\r\nThe newly detected version has essentially the same functionalities as its predecessor. On top of the weather\r\nforecast functionalities it adopted from the original legitimate application, Trojan.Android/Spy.Banker.HW is able\r\nto lock and unlock infected devices remotely by setting the lock screen password and intercept text messages.\r\nThe only difference between the two appears to be a wider target group – the malware now affects users of 69\r\nBritish, Austrian, German and Turkish banking apps – and a more advanced obfuscation technique.\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 5 of 15\n\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 6 of 15\n\nFigure 4 – The malicious app on Google Play\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 7 of 15\n\nFigure 5 – Green - legitimate World Weather icon; Red – malicious version\r\nThe trojan also has an inbuilt notification functionality, the purpose of which could only be verified after having\r\naccessed the C\u0026C server. As it turns out, the malware is able to display fake notifications on infected devices,\r\nprompting the user to launch one of the targeted banking apps on behalf of an “important message” from the\r\nrespective bank. By doing so, malicious activity in the form of a fake login screen is triggered.\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 8 of 15\n\nFigure 6 – C\u0026C sending fake notification message to infected device\r\nFigure 7 – fake banking app notification sent from C\u0026C\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 9 of 15\n\nHas my device been infected? How do I clean it?\r\nIf you have recently installed a weather app from the Play Store, you might want to check if you haven’t been one\r\nof the victims of this banking trojan.\r\nIn case you think you might have downloaded an app named Weather, look for it under Settings -\u003e Application\r\nManger. If you see the app depicted in Fig. 8, and also find “System update” under Settings -\u003e Security -\u003e Device\r\nadministrators (Fig. 9), your device has been infected.\r\nTo clean your device, we recommend that you turn to a mobile security solution, or you can remove the malware\r\nmanually.\r\nTo manually uninstall the trojan, it is first necessary to deactivate its device administrator rights found under\r\nSettings -\u003e Security -\u003e System update. With that done, you can uninstall the malicious app in Settings -\u003e\r\nApplication Manger -\u003e Weather.\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 10 of 15\n\nFigure 8: The trojan in Application Manager\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 11 of 15\n\nFigure 9: Malware disguised as System update under active Device administrators \r\nHow to stay safe\r\nWhile the particular group of attackers behind this botnet chose to spread the malware through trojanized weather\r\napps and target the banks listed at the bottom of this article, there is no guarantee the code isn’t or won’t be used\r\nelsewhere.\r\nWith that in mind, it’s good to stick to some basic principles to stay protected from mobile malware.\r\nAlthough not flawless, Google Play does employ advanced security mechanisms to keep malware out. As this may\r\nnot be the case with alternative app stores or other unknown sources, opt for the official Google Play store\r\nwhenever possible.\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 12 of 15\n\nWhile downloading from the Play store, make sure to get to know the app permissions before installing or\r\nupdating. Instead of automatically giving an app the permissions it demands, consider what they mean for the app\r\nas well as your device. If anything seems out of line, read what other users write in their reviews and rethink\r\ndownloading accordingly.\r\nAfter running anything you’ve installed on your mobile device, keep paying attention to what permissions and\r\nrights it requests. An app that won’t run without advanced permissions that aren’t connected to its intended\r\nfunction might be an app you don’t want installed on your phone.\r\nLast but not least, even if all else fails, a reputable mobile security solution will protect your device from active\r\nthreats.\r\nIf you’d like to find out more about Android-based malware, look into our latest research on the topic.\r\nYou’re also welcome to stop by ESET’s stand at this year’s Mobile World Congress.\r\nSamples\r\nPackage Name Hash Detection\r\ngoodish.weather CA2250A787FAC7C6EEF6158EF48A3B6D52C6BC4B Android/Spy.Banker.HH\r\ngoodish.weather A69C9BAD3DB04D106D92FD82EF4503EA012D0DA9 Android/Spy.Banker.HU\r\nfollon.weather F533761A3A67C95DC6733B92B838380695ED1E92 Android/Spy.Banker.HW\r\nTargeted applications\r\nAndroid/Spy.Banker.HH and Android/Spy.Banker.HU:\r\ncom.garanti.cepsubesi\r\ncom.garanti.cepbank\r\ncom.pozitron.iscep\r\ncom.softtech.isbankasi\r\ncom.teb\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.akbank.softotp\r\ncom.akbank.android.apps.akbank_direkt_tablet\r\ncom.ykb.androidtablet\r\ncom.ykb.android.mobilonay\r\ncom.finansbank.mobile.cepsube\r\nfinansbank.enpara\r\ncom.tmobtech.halkbank\r\nbiz.mobinex.android.apps.cep_sifrematik\r\ncom.vakifbank.mobile\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 13 of 15\n\ncom.ingbanktr.ingmobil\r\ncom.tmob.denizbank\r\ntr.com.sekerbilisim.mbank\r\ncom.ziraat.ziraatmobil\r\ncom.intertech.mobilemoneytransfer.activity\r\ncom.kuveytturk.mobil\r\ncom.magiclick.odeabank\r\nAndroid/Spy.Banker.HW:\r\ncom.garanti.cepsubesi\r\ncom.garanti.cepbank\r\ncom.pozitron.iscep\r\ncom.softtech.isbankasi\r\ncom.teb\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.akbank.softotp\r\ncom.akbank.android.apps.akbank_direkt_tablet\r\ncom.ykb.android\r\ncom.ykb.androidtablet\r\ncom.ykb.android.mobilonay\r\ncom.finansbank.mobile.cepsube\r\nfinansbank.enpara\r\ncom.tmobtech.halkbank\r\nbiz.mobinex.android.apps.cep_sifrematik\r\ncom.vakifbank.mobile\r\ncom.ingbanktr.ingmobil\r\ncom.tmob.denizbank\r\ntr.com.sekerbilisim.mbank\r\ncom.ziraat.ziraatmobil\r\ncom.intertech.mobilemoneytransfer.activity\r\ncom.kuveytturk.mobil\r\ncom.magiclick.odeabank\r\ncom.isis_papyrus.raiffeisen_pay_eyewdg\r\nat.spardat.netbanking\r\nat.bawag.mbanking\r\nat.volksbank.volksbankmobile\r\ncom.bankaustria.android.olb\r\nat.easybank.mbanking\r\ncom.starfinanz.smob.android.sfinanzstatus\r\ncom.starfinanz.smob.android.sbanking\r\nde.fiducia.smartphone.android.banking.vr\r\ncom.db.mm.deutschebank\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 14 of 15\n\nde.postbank.finanzassistent\r\nde.commerzbanking.mobil\r\ncom.ing.diba.mbbr2\r\nde.ing_diba.kontostand\r\nde.dkb.portalapp\r\ncom.starfinanz.mobile.android.dkbpushtan\r\nde.consorsbank\r\nde.comdirect.android\r\nmobile.santander.de\r\nde.adesso.mobile.android.gad\r\ncom.grppl.android.shell.BOS\r\nuk.co.bankofscotland.businessbank\r\ncom.barclays.android.barclaysmobilebanking\r\ncom.barclays.bca\r\ncom.ie.capitalone.uk\r\ncom.monitise.client.android.clydesdale\r\ncom.monitise.coop\r\nuk.co.northernbank.android.tribank\r\ncom.firstdirect.bankingonthego\r\ncom.grppl.android.shell.halifax\r\ncom.htsu.hsbcpersonalbanking\r\ncom.hsbc.hsbcukcmb\r\ncom.grppl.android.shell.CMBlloydsTSB73\r\ncom.lloydsbank.businessmobile\r\nuk.co.metrobankonline.personal.mobile\r\nco.uk.Nationwide.Mobile\r\ncom.rbs.mobile.android.natwest\r\ncom.rbs.mobile.android.natwestbandc\r\ncom.rbs.mobile.android.rbsm\r\ncom.rbs.mobile.android.rbsbandc\r\nuk.co.santander.santanderUK\r\nuk.co.santander.businessUK.bb\r\ncom.tescobank.mobile\r\nuk.co.tsb.mobilebank\r\ncom.rbs.mobile.android.ubn\r\ncom.monitise.client.android.yorkshire\r\nSource: http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nhttp://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/\r\nPage 15 of 15\n\n http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/   \nFigure 6-C\u0026C sending fake notification message to infected device\nFigure 7-fake banking app notification sent from C\u0026C \n   Page 9 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/"
	],
	"report_names": [
		"released-android-malware-source-code-used-run-banking-botnet"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434327,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5211b2269e62bf8403615aeb3adce5e018b23fba.pdf",
		"text": "https://archive.orkl.eu/5211b2269e62bf8403615aeb3adce5e018b23fba.txt",
		"img": "https://archive.orkl.eu/5211b2269e62bf8403615aeb3adce5e018b23fba.jpg"
	}
}