{
	"id": "5a886bb4-9ff3-435f-a9c3-b78796465980",
	"created_at": "2026-04-06T00:22:38.149821Z",
	"updated_at": "2026-04-10T13:12:34.451166Z",
	"deleted_at": null,
	"sha1_hash": "6ea9a4fe6a2ee2b2c40c38ac8a0a1aa804ef4c34",
	"title": "TsarBot Trojan Hits 750+ Banking \u0026 Crypto Apps!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2087771,
	"plain_text": "TsarBot Trojan Hits 750+ Banking \u0026 Crypto Apps!\r\nPublished: 2025-03-28 · Archived: 2026-04-05 17:51:18 UTC\r\nTsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications\r\nTsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance,\r\nand Cryptocurrency Applications\r\nCyble analyzes TsarBot, a newly identified Android banking Trojan that employs overlay attacks to target over 750\r\nbanking, financial, and cryptocurrency applications worldwide.\r\nKey Takeaways\r\nA new Android Banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance,\r\ncryptocurrency, and e-commerce apps.\r\nTsarBot spreads via phishing sites masquerading as legitimate financial platforms and is installed through a\r\ndropper disguised as Google Play Services.\r\nIt uses overlay attacks to steal banking credentials, credit card details, and login credentials by displaying\r\nfake login pages over legitimate apps.\r\nTsarBot can record and remotely control the screen, executing fraud by simulating user actions such as\r\nswiping, tapping, and entering credentials while hiding malicious activities using a black overlay screen.\r\nIt captures device lock credentials using a fake lock screen to gain full control.\r\nTsarBot communicates with its C\u0026C server using WebSocket across multiple ports to receive commands,\r\nsend stolen data, and dynamically execute on-device fraud.\r\nOverview\r\nCyble Research and Intelligence Labs (CRIL) discovered a new Android banking trojan that uses an overlay attack\r\nto target over 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications, across multiple regions.\r\nWhile the malware mainly utilizes overlay attacks to steal credentials, it also carries out various other malicious\r\nactions. It is capable of recording and remotely controlling the screen, enabling attackers to monitor and\r\nmanipulate the device. Additionally, it employs lock-grabbing techniques, keylogging, and intercepting SMS\r\nmessages.\r\nThe analyzed samples indicate the presence of a newly discovered banking trojan, which we are internally tracking\r\nas “TsarBot,” a name chosen due to the threat actor’s suspected Russian origin. During our investigation, we\r\nidentified multiple log entries in Russian within the malicious application, suggesting that a Russian-speaking\r\nthreat actor likely developed the malware.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 1 of 14\n\nFigure 1 – Logs in the Russian Language\r\nTsarBot has been observed spreading through a phishing site that impersonates the official Photon Sol website.\r\nThe phishing site deceptively offers a download option for an application to start trading, whereas the legitimate\r\nwebsite lacks such an option.\r\nThe following phishing sites impersonate legitimate entities and distribute dropper applications that, once installed\r\non the targeted device, will deploy TsarBot.\r\nhxxps://solphoton[.]io\r\nhxxps://solphoton[.]app\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 2 of 14\n\nhxxps://cashraven[.]online\r\nFigure 2 – Phishing site distributing TsarBot\r\nFigure 3 – Phishing site distributing TsarBot\r\nTechnical Details\r\nAs previously mentioned, the phishing site delivers a dropper application that stores the TsarBot APK file,\r\nimplant.apk, in the “res/raw” folder. The dropper utilizes a session-based package installer to deploy the TsarBot\r\nmalware on the device.\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 3 of 14\n\nFigure 4 – Dropper installing TsarBot\r\nTsarBot conceals itself as the Google Play Service app and does not display a launcher icon. Upon installation, it\r\npresents a fake Google Play Service update page, prompting the user to enable Accessibility services.\r\nFigure 5 – Malware prompting victims to enable Accessibility services\r\nWebSocket Connection\r\nAfter the victim enables the Accessibility service, the malware establishes a socket connection with the C\u0026C\r\nserver “hxxp://95.181[.]173.76” using four different ports listed below:\r\n9001 – To receive commands\r\n9002 – To send captured screen content\r\n9004 – To receive different sets of commands\r\n9030 – To send data to the server\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 4 of 14\n\nTsarBot can receive various commands from the server, primarily focused on-screen control, enabling it to carry\r\nout on-device fraud.\r\nCommand Description\r\nCommand Received from 9001 Port\r\nREQUEST_CAPTURE Prompt to start screen capturing and initiates screen recording\r\nCLICK_DESCRIPTION Click on the screen containing the mentioned description\r\nCLICK_TEXT Clicks on the text present on the screen\r\nSWIPE_RIGHT Makes a swipe-right gesture\r\nTAP Taps on the screen\r\nBACK Take the user to the back screen\r\nHOME Take the user to the home screen\r\nRECENT_APPS Takes to the recent app\r\nCLICK_NEAR_TEXT Click on the button near the mentioned text\r\nCLICK_INDEX Check the clickable object on the given index and perform a click\r\nZOOM_IN Zoom in screen\r\nTAP_COORDINATES Taps on the mentioned co-ordinates on the screen\r\nSWIPE_UP Makes swipe-up gesture\r\nSWIPE_DOWN Makes swipe-down gesture\r\nSWIPE_LEFT Makes swipe-left gesture\r\nLAUNCH_APP Launch app\r\nZOOM_OUT Zoom out screen\r\nCommands Received from 9004 Port\r\nclick_by_text Clicks on the element matching text\r\nstop_sending_tree Stops sending ketlogs\r\nswipe_up Make a swipe-up gesture\r\ntap Makes a tap gesture\r\nhome Takes to the home screen\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 5 of 14\n\nhide_black_overlay Remove the black overlay from the screen\r\nswipe_down Makes a swipe-down gesture\r\nswipe_left Makes a swipe left gesture\r\nshow_black_overlay Displays a black overlay on the screen\r\nswipe_right Make a swipe-right gesture\r\nrecents Take to the recent screen\r\nstart_sending_tree Starts sending keylogs\r\npaste_text Paste text into the edit field on the screen\r\nScreen Recording\r\nAs outlined in the command table, when TsarBot receives the “REQUEST_CAPTURE” command, it prompts\r\nthe user to enable screen capture permissions. Once granted, the malware initiates the screen capture service,\r\ntransmitting the captured screen content to the C\u0026C server via a WebSocket connection on port 9002.\r\nFigure 6 – Screen capture service\r\nBy capturing screen content and executing server-issued screen control commands, TsarBot can carry out\r\nfraudulent transactions on the targeted device by concealing this fraud activity with a black overlay screen.\r\nLock Grabber\r\nTsarBot incorporates the LockTypeDetector feature to determine the device’s lock type using the Accessibility\r\nservice. It detects specific on-screen text or descriptions, such as “PIN area,” “Device password,” or a pattern, to\r\nidentify the lock method. Once identified, it saves the lock type status for future use in lock-grabbing operations.\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 6 of 14\n\nFigure 7 – Lock type detection code\r\nWhen TsarBot receives the “USER_PRESENT” action for the first time, it loads a fake lock screen based on the\r\ndetected lock type from “hxxps://xdjhgfgjh[.]run/injects/htmlPIN/android.PinCode.html” and captures the user’s\r\nlock password, PIN, or pattern.\r\nFigure 8 – Malware loading fake lock screen\r\nOverlay Attack\r\nTsarBot connects to the URL “hxxps://xdjhgfgjh[.]run/injects/ServiceName.txt“ to retrieve a list of targeted\r\napplication package names. Most of these belong to banking apps from various regions, including France, Poland,\r\nthe UK, India, the UAE, and Australia. The remaining package names are associated with e-commerce, social\r\nmedia, messaging apps, cryptocurrency, and other categories.\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 7 of 14\n\nFigure 9 – TsarBot receiving the target application package names\r\nTsarBot collects the installed applications on the infected device and compares them against the package names\r\nreceived from the server, maintaining a target list for overlay attacks.\r\nFigure 10 – Malware comparing the installed application package names with the target list\r\nreceived from the server\r\nWhen the victim interacts with an application, TsarBot checks its package name against the maintained target list.\r\nIf the application is found in the targeted list, it then retrieves the corresponding injection page from\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 8 of 14\n\n“hxxps://xdjhgfgjh[.]run/injects/html/{packagename}.html“ and loads it into a WebView.\r\nFigure 11 – Creating an overlay window on top of the targeted application\r\nThe injection page mimics a legitimate application, tricking users into entering sensitive information such as net\r\nbanking credentials, log in details, and credit card information. The figure below shows the injection pages for one\r\nof the target applications.\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 9 of 14\n\nFigure 12 – Injection page for Indian Bank prompting to enter login and credit card details\r\nThe data entered into the injection phishing pages is sent to the C\u0026C server over port 9030. After transmitting the\r\nstolen sensitive information, TsarBot removes the targeted application’s package name from the list to prevent the\r\noverlay from being triggered again for the same app.\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 10 of 14\n\nFigure 13 – Sends collected login and credit card information from overlay activity to the C\u0026C\r\nserver\r\nFigure 14 – Removing application package name from target list\r\nThe image below shows the injection pages used by TsarBot to trick the victims into submitting sensitive\r\ninformation while attempting to access genuine applications.\r\nFigure 15 – Injection pages for different applications\r\nConclusion\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 11 of 14\n\nTsarBot is yet another addition to the growing list of Android banking trojans, relying on familiar yet effective\r\ntactics such as overlay attacks, screen recording, and lock grabbing. By abusing Accessibility services and\r\nWebSocket communication, it enables on-device fraud while maintaining a low profile. With its ability to target\r\nover 750 applications across multiple sectors, TsarBot underscores the persistent threat posed by banking malware.\r\nUsers should exercise caution when installing apps, avoid untrusted sources, and remain vigilant against phishing\r\nsites distributing such threats.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software exclusively from official application stores, such as the Google Play Store or\r\nthe iOS App Store. \r\nUtilize a reputable antivirus and internet security software package on all connected devices, including\r\npersonal computers, laptops, and mobile devices. \r\nImplement strong passwords and enforce multi-factor authentication wherever feasible. \r\nActivate biometric security features, such as fingerprint or facial recognition, for unlocking mobile devices\r\nwhen available. \r\nExercise caution while opening links that have been sent via SMS or emails on your mobile device. \r\nEnsure that Google Play Protect is enabled on Android devices. \r\nBe judicious when granting permissions to applications. \r\nMaintain updated versions of your devices, operating systems, and applications. \r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Procedure\r\nInitial Access\r\n(TA0027)\r\nPhishing (T1660) Malware is distributed via phishing sites\r\nPersistence\r\n(TA0028)\r\nEvent-Triggered\r\nExecution: Broadcast\r\nReceivers (T1624.001)\r\nTsarBot listens for the\r\nBOOT_COMPLETED intent to\r\nautomatically launch after the device\r\nrestarts.\r\nDefense Evasion\r\n(TA0030)\r\nMasquerading: Match\r\nLegitimate Name or Location\r\n(T1655.001)\r\nMalware pretending to be a genuine\r\napplication\r\nDefense Evasion\r\n(TA0030)\r\nApplication Discovery\r\n(T1418)\r\nCollects the installed application\r\npackage name list to identify the target\r\nDefense Evasion\r\n(TA0030)\r\nHide Artifacts: Suppress\r\nApplication Icon (T1628.001)\r\nHides the application icon\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 12 of 14\n\nDefense Evasion\r\n(TA0030)\r\nInput Injection (T1516)\r\nMalware can mimic user interaction,\r\nperform clicks and various gestures, and\r\ninput data\r\nCredential\r\nAccess (TA0031)\r\nInput Capture: Keylogging\r\n(T1417.001)\r\nTsarBot can collect credentials via\r\nkeylogging\r\nCollection\r\n(TA0035)\r\nProtected User Data: SMS\r\nMessages (T1636.004)\r\nCollects SMSs\r\nCollection\r\n(TA0035)\r\nScreen Capture (T1513)\r\nMalware records screen using Media\r\nProjection\r\nCommand and\r\nControl\r\n(TA0037)\r\nApplication Layer Protocol:\r\nWeb Protocols (T1437.001)\r\nTsarBot uses HTTP to communicate\r\nwith the C\u0026C server\r\nExfiltration\r\n(TA0036)\r\nExfiltration Over C2 Channel\r\n(T1646)\r\nSending exfiltrated data over C\u0026C\r\nserver\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n13c30f24504cb83c8f90747a51aebc0f8fb7ed8c41fb87419b7300376cfbd7f2\r\n1a41ae507d6f67385e2e10f106cedf80632f1eb42b864e722ad4c2e0d2b91aca\r\n291f807cc1d9a26a04da128f3de6d136fd0974a66c38694d0559ca884bd0d359\r\n2c4574fb07eb254e845eb86f76d8e353d13d671ba71b6e79c1e55485664d666c\r\nSHA256\r\nDropper file\r\nhashes\r\n8d2e3f46c71ba5f3dcb4e7a0359693765bf4d8e0152ad82906c42d9f7573c88f\r\n73a6ae8331cd01dd59b8c526df2a90771dcf9d74048dc7ea51d75a3beacbd95b\r\n0e8569ec252caf58f72c43358472f22786cd32685d23c882b4b2e38409cf2e47\r\n957df5b8998780c50ee630ad70926bdd4ee83748ee89c3a7916e8eace9b95d88\r\nSHA256 TsarBot\r\nhxxps://cashraven[.]online/\r\nhxxps://solphoton[.]app/ hxxps://solphoton[.]io/\r\nURL\r\nPhishing\r\nsites\r\nhxxps://solphoton[.]io/PhotonSol.apk\r\nhxxps://cashraven[.]online/CashRaven.apk\r\nURL\r\nMalware\r\ndistribution\r\nURLs\r\n95.181.173[.]76 IP C\u0026C server\r\nhxxps://xdjhgfgjh[.]run/injects/ServiceName[.]txt\r\nhxxps://xdjhgfgjh[.]run/injects/html/\r\nURL URL\r\nhosting\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 13 of 14\n\nhxxps://xdjhgfgjh[.]run/injects/htmlPIN/android[.]Passcode[.]html\r\nhxxps://xdjhgfgjh[.]run/injects/htmlPIN/android[.]Pattern[.]html\r\nhxxps://xdjhgfgjh[.]run/injects/htmlPIN/android[.]PinCode[.]html\r\ninjections\r\nSource: https://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nhttps://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/"
	],
	"report_names": [
		"tsarbot-using-overlay-attacks-targeting-bfsi-sector"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434958,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6ea9a4fe6a2ee2b2c40c38ac8a0a1aa804ef4c34.pdf",
		"text": "https://archive.orkl.eu/6ea9a4fe6a2ee2b2c40c38ac8a0a1aa804ef4c34.txt",
		"img": "https://archive.orkl.eu/6ea9a4fe6a2ee2b2c40c38ac8a0a1aa804ef4c34.jpg"
	}
}