{
	"id": "a39a1782-20db-4dc9-bac7-4709f1b0f26e",
	"created_at": "2026-04-06T00:10:25.235448Z",
	"updated_at": "2026-04-10T03:30:32.831209Z",
	"deleted_at": null,
	"sha1_hash": "55979dfadb97a6c28eb8c09e6fef28a45877e077",
	"title": "New campaigns spread banking malware through Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2153471,
	"plain_text": "New campaigns spread banking malware through Google Play\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 17:26:14 UTC\r\nESET Research\r\nMobile Security\r\nFor a user, it can be difficult to figure out whether an app is malicious. First off it is always good only to install applications\r\nfrom the Google Play store, since most malware is still mainly spread through alternative stores.\r\n21 Nov 2017  •  , 7 min. read\r\nThis year we have seen many different malware campaigns trying to compromise users with malicious apps distributed via\r\nGoogle Play. Even though these apps are often removed within days after having been reported to Google, they still manage\r\nto infect thousands of users. All apps submitted to Google Play are automatically analyzed in an effort to block malicious\r\napplications, but the latest campaigns we have seen use techniques such as legitimate applications containing malicious\r\nbehavior on a timer (in this case two hours) in order to circumvent Google Play’s automated detection solutions.\r\nAcknowledgement\r\nThis article is based on joint research we have conducted with Avast and SfyLabs, who have also published their respective\r\nblog articles on the topic.\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 1 of 9\n\nIn October and November 2017 we ran into two new campaigns using droppers in the Play Store — the first campaign to\r\ndrop the banking malware. This second campaign has recently been described on this site; we are adding some additional\r\nIoCs at the end of this blog article.\r\nThe droppers from the previous campaigns were far more sophisticated, using  Accessibility Services to perform clicks in\r\nthe background and enable app installation from unknown sources. This new dropper does not have such trickery and relies\r\non the user having unknown sources already enabled. If this is not the case, the dropper will fail to install the BankBot\r\nmalware resulting in no threat to the user. If installation from unknown sources is enabled, the user will be prompted to\r\ninstall the BankBot malware. This malware seems to be pretty much the same as the instance Trend Micro blogged about in\r\nSeptember.\r\nInterestingly enough, even though the Tornado FlashLight dropper (com.andrtorn.app) has been removed from Google Play,\r\nit is not detected by Google’s Play Protect. The same goes for the malware that is dropped by the dropper\r\n(com.vdn.market.plugin.upd). This means the dropper app and malware can still be installed from third-party locations and\r\nrun without interference, unless the device is running suitable security software.\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 2 of 9\n\nDetailed analysis\r\nWhen the dropper is first started, it will check the installed applications against a hardcoded list of 160 apps. We’ve only\r\nbeen able to identify 132 of them, since the package names are not included in the dropper, but just their hashes. The list of\r\ntargeted packages has remained the same since the campaign described by Trend Micro. If one or more of the targeted apps\r\nare installed when the dropper app is closed, it will start the service with dropper functionality.\r\nThe dropper will run the same check on device boot and if it succeeds it will also start the service. The service will first\r\nrequest administrator permissions from the user and after obtaining those it will continue to the download routine. The\r\nBankBot APK, which is the same for all dropper samples is downloaded from hxxp://138.201.166.31/kjsdf.tmp. The\r\ndownload is only triggered two hours after device administrator rights have been granted to the dropper.\r\nOnce the download is completed, the dropper will try to install the APK, using the standard Android mechanism to install\r\napplications from outside the Google Play store. Besides requiring unknown sources to be already enabled, this install\r\nmethod requires the user to press a button to continue the installation.\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 3 of 9\n\nLooking at the name and icon of the package to install, we assume the attackers are trying to make the user think it is a\r\nGoogle Play update. Once the install is finished, the new APK will request device administrator rights and then the attack\r\ncontinues.\r\nIf installation from unknown sources is not enabled, Android will show an error message and the installation will fail.\r\nHow to prevent a successful attack?\r\nFor a user, it can be difficult to figure out whether an app is malicious. First off it is always good only to install applications\r\nfrom the Google Play store, since most malware is still mainly spread through alternative stores. Second, unless you know\r\nexactly what you are doing, do not enable 'unknown sources'. If you are asked to do this by an app or someone you do not\r\ntrust personally, it is most likely malware-related.\r\nBut what if you want to install an app from the Google Play? For the typical user, we recommend using a security solution\r\nto catch the already detected malware that has not yet been blocked by Google. Besides installing a security solution, you\r\ncan check some things yourself to decrease the risk of infection.\r\nFirst, make sure the app has many users and good reviews. Most malware will not have been in the store for a very long time\r\nand will not have lot of users. Then, after you install the app, take note of several things: Most malware will ask to become\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 4 of 9\n\ndevice administrator (do not give this permission as it can be used to prevent being removed). Other malware may ask for\r\naccessibility service permission, which would enable it to simulate user interaction with the device, basically taking over the\r\ndevice. Another indicator is the app icon disappearing from your app drawer after the first time you start the app. The\r\nmalware does this to hide itself. If this happens to you, it's probably best to back up your data and do a factory reset to make\r\nsure the malware is gone.\r\nCampaign #1\r\nIoCs\r\nDroppers Package name: SHA-256:\r\nTornado\r\nFlashLight\r\ncom.andrtorn.app 89f537cb4495a50b0827 58b34e54bd1024463176d7d2f4a445cf859f5a33e38f\r\nphxuw com.sysdriver.andr d93e03c833bac1a29f49fa5c3060a04298e7811e4fb0994afc05a25c24a3e6dc\r\nfaczyfut com.sysmonitor.service 3a3c5328347fa52383406b6d 6ca31337442659ae8fafdff0972703cb49d97ac2\r\nLamp For\r\nDarkNess\r\ncom.wifimodule.sys 138e3199d53dbbaa01db40742153775d54934433e999b9c7fcfa2fea2474ce8d\r\nzqmfsx com.seafl.andr c1720011300d8851bc30589063425799e4cce9bb972b3b32b6e30c21ce72b9b6\r\nDiscounter com.sarniaps.deew bb932ca35651624fba2820d657bb10556aba66f15c053142a5645aa8fc31bbd0\r\nDropped\r\nynlfhgq\r\ncom.vdn.market.plugin.upd 9a2149648d9f56e999bd5af599d041f00c3130fca282ec47430a3aa575a73dcd\r\nC2\r\nAll apps communicate with 138.201.166.31\r\nCampaign #2\r\nIoCs\r\nDroppers Package name: SHA-256:\r\nXDC\r\nCleaner\r\ncom.sdssssd.rambooster cc32d14cea8c9ff13e95d2a83135ae4b7f4b0bd84388c718d324d559180218fd\r\nSpider\r\nSolitaire\r\ncom.jkclassic.solitaire12334 b6f5a294d4b0bee029c2840c3354ed814d0d751d00c9c3d48603ce1f22dae8b3\r\nClassic\r\nSolitaire\r\ncom.urbanodevelop.solitaire b98d3f4950d07f62f22b4c933416a007298f9f38bebb897be0e31e4399eb39c3\r\nSolitaire com.jduvendc.solitaire b98d3f4950d07f62f22b4c933416a007298f9f38bebb897be0e31e4399eb39c3\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 5 of 9\n\nIoCs\r\nDropped\r\nmalware\r\nxcuah\r\ncom.vdn.market.plugin.upd 129e8d59f2e3a6f0ac4c98bfd12f9fb5d38176164ff5cf715e7e082ab33fffb6\r\nAdobe\r\nUpdate\r\ncom.hqzel.zgnlpufg 3f71c21975d51e920f47f6 ec6d183c1c4c875fac93ce4eacc5921ba4f01e39d3\r\nC2\r\nAll droppers communicate with 5.61.32.253. The different hostnames used are:\r\n- 88820.pro\r\n- 88881.pro\r\n- 88884.pro\r\nThe malware samples communicate with 94.130.0.119 and 31.131.21.162.\r\nTargeted apps\r\nar.nbad.emobile.android.mobilebank\r\nat.bawag.mbanking\r\nat.spardat.bcrmobile\r\nat.spardat.bcrmobile\r\nat.spardat.netbanking\r\nau.com.bankwest.mobile\r\nau.com.cua.mb\r\nau.com.ingdirect.android\r\nau.com.nab.mobile\r\nau.com.newcastlepermanent\r\nau.com.suncorp.SuncorpBank\r\nch.raiffeisen.android\r\ncom.EurobankEFG\r\ncom.adcb.bank\r\ncom.adib.mbs\r\ncom.advantage.RaiffeisenBank\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.anz.SingaporeDigitalBanking\r\ncom.bankaustria.android.olb\r\ncom.bankofqueensland.boq\r\ncom.barclays.ke.mobile.android.ui\r\ncom.bbva.bbvacontigo\r\ncom.bbva.netcash\r\ncom.bendigobank.mobile\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 6 of 9\n\ncom.bmo.mobile\r\ncom.caisseepargne.android.mobilebanking\r\ncom.cajamar.Cajamar\r\ncom.cbd.mobile\r\ncom.chase.sig.android\r\ncom.cibc.android.mobi\r\ncom.citibank.mobile.au\r\ncom.clairmail.fth\r\ncom.cm_prod.bad\r\ncom.comarch.mobile\r\ncom.comarch.mobile.banking.bnpparibas\r\ncom.commbank.netbank\r\ncom.csam.icici.bank.imobile\r\ncom.csg.cs.dnmb\r\ncom.db.mm.deutschebank\r\ncom.db.mm.norisbank\r\ncom.dib.app\r\ncom.finansbank.mobile.cepsube\r\ncom.finanteq.finance.ca\r\ncom.garanti.cepsubesi\r\ncom.getingroup.mobilebanking\r\ncom.htsu.hsbcpersonalbanking\r\ncom.imb.banking2\r\ncom.infonow.bofa\r\ncom.ing.diba.mbbr2\r\ncom.ing.mobile\r\ncom.isis_papyrus.raiffeisen_pay_eyewdg\r\ncom.konylabs.capitalone\r\ncom.mobileloft.alpha.droid\r\ncom.moneybookers.skrillpayments\r\ncom.moneybookers.skrillpayments.neteller\r\ncom.palatine.android.mobilebanking.prod\r\ncom.pozitron.iscep\r\ncom.rak\r\ncom.rsi\r\ncom.sbi.SBIFreedomPlus\r\ncom.scb.breezebanking.hk\r\ncom.snapwork.hdfc\r\ncom.starfinanz.smob.android.sfinanzstatus\r\ncom.suntrust.mobilebanking\r\ncom.targo_prod.bad\r\ncom.tmobtech.halkbank\r\ncom.ubs.swidKXJ.android\r\ncom.unicredit\r\ncom.unionbank.ecommerce.mobile.android\r\ncom.usaa.mobile.android.usaa\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 7 of 9\n\ncom.usbank.mobilebanking\r\ncom.vakifbank.mobile\r\ncom.vipera.ts.starter.FGB\r\ncom.vipera.ts.starter.MashreqAE\r\ncom.wf.wellsfargomobile\r\ncom.ykb.android\r\ncom.ziraat.ziraatmobil\r\ncz.airbank.android\r\ncz.csob.smartbanking\r\ncz.sberbankcz\r\nde.comdirect.android\r\nde.commerzbanking.mobil\r\nde.direkt1822.banking\r\nde.dkb.portalapp\r\nde.fiducia.smartphone.android.banking.vr\r\nde.postbank.finanzassistent\r\nde.sdvrz.ihb.mobile.app\r\nenbd.mobilebanking\r\nes.bancosantander.apps\r\nes.cm.android\r\nes.ibercaja.ibercajaapp\r\nes.lacaixa.mobile.android.newwapicon\r\nes.univia.unicajamovil\r\neu.eleader.mobilebanking.pekao\r\neu.eleader.mobilebanking.pekao.firm\r\neu.inmite.prj.kb.mobilbank\r\neu.unicreditgroup.hvbapptan\r\nfr.banquepopulaire.cyberplus\r\nfr.creditagricole.androidapp\r\nfr.laposte.lapostemobile\r\nfr.lcl.android.customerarea\r\ngr.winbank.mobile\r\nhr.asseco.android.jimba.mUCI.ro\r\nin.co.bankofbaroda.mpassbook\r\nmay.maybank.android\r\nmbanking.NBG\r\nmobi.societegenerale.mobile.lappli\r\nmobile.santander.de\r\nnet.bnpparibas.mescomptes\r\nnet.inverline.bancosabadell.officelocator.android\r\nnz.co.anz.android.mobilebanking\r\nnz.co.asb.asbmobile\r\nnz.co.bnz.droidbanking\r\nnz.co.kiwibank.mobile\r\nnz.co.westpac\r\norg.banksa.bank\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 8 of 9\n\norg.bom.bank\r\norg.stgeorge.bank\r\norg.westpac.bank\r\npl.bzwbk.bzwbk24\r\npl.bzwbk.ibiznes24\r\npl.ipko.mobile\r\npl.mbank\r\npt.bancobpi.mobile.fiabilizacao\r\npt.cgd.caixadirecta\r\npt.novobanco.nbapp\r\nro.btrl.mobile\r\nsrc.com.idbi\r\nwit.android.bcpBankingApp.activoBank\r\nwit.android.bcpBankingApp.millennium\r\nwit.android.bcpBankingApp.millenniumPL\r\nwww.ingdirect.nativeframe\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nhttps://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/"
	],
	"report_names": [
		"new-campaigns-spread-banking-malware-google-play"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434225,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/55979dfadb97a6c28eb8c09e6fef28a45877e077.pdf",
		"text": "https://archive.orkl.eu/55979dfadb97a6c28eb8c09e6fef28a45877e077.txt",
		"img": "https://archive.orkl.eu/55979dfadb97a6c28eb8c09e6fef28a45877e077.jpg"
	}
}