{
	"id": "1887e9af-1dbd-4998-ba85-a36a178af221",
	"created_at": "2026-04-06T00:13:53.660261Z",
	"updated_at": "2026-04-10T03:33:42.033524Z",
	"deleted_at": null,
	"sha1_hash": "84e84df1e9972c2810501b2e66f8a9c7ad84c36b",
	"title": "DroidBot: Insights from a new Turkish MaaS fraud operation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5417118,
	"plain_text": "DroidBot: Insights from a new Turkish MaaS fraud operation\r\nBy Simone Mattia, Alessandro Strino\r\nArchived: 2026-04-05 18:01:33 UTC\r\nKey Points\r\nIn late October 2024, the Cleafy TIR team discovered and analysed a new Android Remote Access Trojan\r\n(RAT). Upon investigation, traces of this threat were found dating back to June 2024. However, as of this\r\nwriting, no connections to any known malware families have been identified. Consequently, the team has\r\nclassified this new threat under the name DroidBot, based on a domain name leveraged by this malware.\r\nDroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like\r\ncapabilities, such as keylogging and user interface monitoring. Moreover, it leverages dual-channel\r\ncommunication, transmitting outbound data through MQTT and receiving inbound commands via HTTPS,\r\nproviding enhanced operation flexibility and resilience.\r\nAt the time of writing, DroidBot targets 77 distinct entities, including banking institutions,\r\ncryptocurrency exchanges, and national organisations. Active campaigns have been observed in countries\r\nsuch as the United Kingdom, Italy, France, Spain, and Portugal, indicating a potential expansion into\r\nLatin America.\r\nInconsistencies observed across multiple samples indicate that this malware is still under active\r\ndevelopment. These inconsistencies include placeholder functions, such as root checks, different levels of\r\nobfuscation, and multi-stage unpacking. Such variations suggest ongoing efforts to enhance the malware’s\r\neffectiveness and tailor it to specific environments.\r\nThe information retrieved within malware samples (e.g., debug strings, configuration files, etc.) makes us\r\nassume that most of its developers are Turkish speakers. This observation reflects, at least partially, the\r\nefforts to adapt tactics for broader geographical impact.\r\nExecutive Summary\r\nDroidBot is an advanced Android Remote Access Trojan (RAT) that combines classic hidden VNC and overlay\r\ncapabilities with features often associated with spyware. It includes a keylogger and monitoring routines that\r\nenable the interception of user interactions, making it a powerful tool for surveillance and credential theft. A\r\ndistinctive characteristic of DroidBot is its dual-channel communication mechanism: outbound data from infected\r\ndevices is transmitted using the MQTT protocol, while inbound commands, such as overlay target specifications,\r\nare received over HTTPS. This separation enhances its operational flexibility and resilience.\r\nAt the time of analysis, 77 distinct targets have been identified, including banking institutions, cryptocurrency\r\nexchanges, and national organisations, underscoring its potential for widespread impact. Notably, the threat actor\r\nbehind DroidBot has been linked to Turkey, reflecting a broader trend of adapting tactics and geographical focus.\r\nAnalysis of DroidBot samples has also revealed its Malware-as-a-Service (MaaS) infrastructure, with 17 distinct\r\naffiliate groups identified, each assigned unique identifiers. Interestingly, multiple affiliates were found to be\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 1 of 20\n\ncommunicating over the same MQTT server, suggesting that some groups may collaborate or participate in\r\ndemonstration sessions showcasing the malware’s capabilities.\r\nMoreover, DroidBot appears to be under active development. Some functions, such as root checks, exist as\r\nplaceholders and are not yet properly implemented, while other features vary between samples (e.g., obfuscation,\r\nemulator checks, multi-stage unpacking). These inconsistencies suggest ongoing refinement to enhance\r\nfunctionality or adapt to specific environments. Despite these developmental signs, the malware has already\r\ndemonstrated its potential, successfully targeting users in the United Kingdom, Italy, France, Spain, and\r\nPortugal, with indications of expansion into linguistically similar Latin American regions.\r\nThe combination of advanced surveillance features, dual-channel communication, a diverse target list, and an\r\nactive MaaS infrastructure highlights DroidBot’s sophistication and adaptability. As it evolves, this malware poses\r\nan escalating threat to financial institutions, government entities, and other high-value targets across multiple\r\nregions.\r\nThe following table represents a summary of the TTP behind DroidBot campaigns:\r\nFirst Evidence Mid-2024\r\nState Active\r\nAffected Entities Retail banking\r\nTarget OSs Android\r\nTarget Countries DE, FR, IT, TK, UK, ES, PT\r\nInfected Chain Side-loading via Social Engineering\r\nFraud Scenario On-Device Fraud (ODF)\r\nPreferred Cash-Out Data not available\r\nAmount handled (per transfer) Data not available\r\nTechnical Analysis\r\nMalicious App Overview\r\nTo lure victims into downloading and installing DroidBot, the TAs leverage common decoys frequently observed\r\nin banking malware distribution campaigns. In this case, the malware is disguised as generic security applications,\r\nGoogle services, or popular banking apps.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 2 of 20\n\nFigure 1 - Common decoy used in DroidBot campaigns\r\nLike most modern Android banking malware, DroidBot relies heavily on abusing Accessibility Services to carry\r\nout its malicious functions. These services are typically requested during the initial stages of installation, as shown\r\nin the Figure above. DroidBot appears to have been developed using the B4A framework, a popular framework for\r\nnative Android applications. It’s important to note that B4A  is widely used in malware developed by Brazilian\r\nTAs, such as the Brata family and its known variant CopyBara.\r\nDroidBot offers a range of functionalities commonly found in modern Android banking malware, including:\r\nSMS Interception: The malware monitors incoming SMS messages, often used by financial institutions to\r\ndeliver transaction authentication numbers (TANs), allowing attackers to bypass two-factor authentication\r\nmechanisms.\r\nKey-Logging: By exploiting Accessibility Services, DroidBot captures sensitive information displayed on\r\nthe screen or entered by the user, such as login credentials, personal data, or account balances.\r\nOverlay Attack: This approach involves displaying a fake login page over the legitimate banking\r\napplication once the victim opens it to intercept valid credentials.\r\nVNC-Like Routine: DroidBot periodically takes screenshots of the victim’s device, providing threat\r\nactors with continuous visual data that offers a real-time overview of the device's activity.\r\nScreen Interaction: Leveraging the full potential of Accessibility Services, DroidBot enables remote\r\ncontrol of the infected device. This includes executing commands to simulate user interactions such as\r\ntapping buttons, filling out forms, and navigating through applications, effectively allowing attackers to\r\noperate the device as if they were physically present.\r\nThis report will not provide an in-depth analysis of these functionalities, as they are standard features across most\r\nmodern banking trojans. Moreover, our analysis did not reveal any noteworthy innovations in their\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 3 of 20\n\nimplementation. Instead, the following sections will focus on some unique and intriguing aspects uncovered\r\nduring our investigation.\r\nExploring C2 Communication\r\nThe DroidBot banking trojan employs an unconventional Command-and-Control (C2) communication method,\r\nleveraging the MQTT (Message Queuing Telemetry Transport) protocol. This lightweight and efficient protocol,\r\ntraditionally used in IoT and real-time messaging systems, enables DroidBot to achieve seamless data exfiltration\r\nfrom infected devices.\r\nThe choice of MQTT is particularly noteworthy because its use among Android malware remains relatively rare.\r\nThe TA strategic decision facilitates efficient communication and enhances the malware's ability to evade\r\ndetection. By adopting a protocol not commonly associated with malicious activities, the operators behind\r\nDroidBot can stay under the radar of conventional security measures.\r\nDroidBot’s utilisation of MQTT reflects a growing trend in the malware landscape. Recent examples of Android\r\nbanking trojans adopting this protocol include Copybara and BRATA/AmexTroll. Originally active in Latin\r\nAmerica, these families have recently expanded their operations to Europe, demonstrating such techniques'\r\nincreasing versatility and geographical spread.\r\nDroidBot dynamically retrieves the MQTT broker's address from a remote resource to ensure resilience and\r\nmitigate takedowns. Specifically, the malware utilises a hardcoded domain within its source code to request an\r\nHTTP to a designated endpoint. This endpoint, /GETM5662, returns the broker's address.\r\nFigure 2 - Retrieving the MQTT broker domain\r\nIn earlier versions of DroidBot, this address was delivered in plain text, as shown in the previous image. However,\r\nthe TAs have recently adapted their techniques to enhance resilience and stealth. In the latest samples, the\r\nresponse containing the broker's address is first encrypted and then encoded in Base64 before being delivered to\r\nthe malware. Once received, the malware decodes and decrypts the address, which is used to establish a\r\nconnection to the MQTT broker.\r\nThe MQTT broker used by DroidBot is organised into specific topics that categorise the types of communication\r\nexchanged between the infected devices and the C2 infrastructure. These topics function as logical channels, each\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 4 of 20\n\ndedicated to a specific type of data or instruction, ensuring a structured and efficient flow of information. For\r\nreaders unfamiliar with the MQTT protocol, topics are hierarchical strings that organise and route messages\r\nbetween publishers (senders) and subscribers (receivers). A topic acts as an \"address\" within the broker,\r\ndetermining where a message should be delivered. In the following image, you can see a snippet from DroidBot’s\r\ndecompiled code, which reveals some of the hardcoded topics utilised by the malware.\r\nFigure 3 - Partial list of MQTT topics leveraged by DroidBot C2 communication\r\nBy compartmentalising communications in this way, the malware simplifies data handling and ensures a degree of\r\nmodularity, potentially making it easier to adapt or expand its capabilities in future updates. In fact, during our\r\nanalysis, we also identified several topics that do not appear to be actively used by the malware at this time. These\r\ninclude applicationlog, pinsave, and injectionlog.\r\nThese unused topics suggest that the TAs may have planned additional functionalities or reserved these channels\r\nfor future updates. This further highlights the evolving nature of DroidBot and its potential for expanded\r\nmalicious capabilities over time.\r\nTo secure its communications with the MQTT broker, DroidBot employs an encryption routine that obfuscates the\r\ntransmitted data, making it challenging to intercept or analyse without reverse engineering. The process for\r\nconstructing the communication flow is outlined in the following Figure:\r\nFigure 4 - MQTT data: encryption routine\r\nIn details:\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 5 of 20\n\nSerialisation: The clear-text message is first serialised into a byte array using UTF-8 encoding.\r\nEncryption via XOR: The serialised byte array is passed through an XOR-based encryption routine. As\r\nshown in the code snippet, the encryption key is derived using a predefined pattern\r\n(PO0000000000000000000L), which is dynamically resized to match the length of the message. Each byte\r\nof the message is XORed with the corresponding byte of the repeated pattern, resulting in an encrypted\r\narray.\r\nCompression (zlib): The encrypted byte array is further compressed using the zlib compression algorithm.\r\nTransmission via MQTT: The resulting message is then published to the broker via MQTT.\r\nBelow is a simplified version of the decryptor code:\r\nFigure 5 - Decryptor code\r\nExploring C2 Communication\r\nDroidBot introduces a custom decryption routine to decrypt embedded strings that contain information about the\r\nC2 server and credentials for successfully connecting to the MQTT broker. The decryption routine is pretty\r\nstraightforward. However, it relies on four parameters that depend on the package name, the version and name,\r\nand an integer.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 6 of 20\n\nFigure 6 - Decryption routine\r\nThis reflects an effort to make string decryption less straightforward. However, once a collection of samples has\r\nbeen gathered, an application parser will still be needed to extract all relevant information.\r\nFigure 7 - Decrypting strings\r\nAnalysing the sample, a keyword that captured our attention was injection. It was possible to read through the\r\ndevelopers' posts on underground forums that DroidBot was equipped with an ATS (Automatic Transfer System)\r\nmodule that allows the app to perform a completely automated fraud against a target. However, exploring the\r\nMQTT messages and collecting injection information made it impossible to observe a proper ATS engine. We\r\ncan’t exclude that that information is stored on the server and could be sent over “candidate” bots.\r\nTarget Countries\r\nInvestigating the TAs' infrastructure also enabled us to obtain the list of financial institutions targeted by these\r\ncampaigns. Analysing the nationality of the users of these institutions reveals a particular in the European area\r\nwith a focus on four nations: France, Italy, Spain, and Turkey.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 7 of 20\n\nFigure 8 - Targeted Users Countries\r\nThe same results also emerge from analysing a file in the malware called security.html, which contains a security\r\npage warning users that “The application cannot be uninstalled for security reasons”. Within the code, we can see\r\nthat this information is customised for 4 main languages: English, Italian, Spanish, and Turkish.\r\nFigure 9 - Targeted Users Languages\r\nFurther investigation of the MQTT client revealed a significant number of infected French users, confirming\r\nFrance as one of the campaign's targets.\r\nExposing the Underlying MaaS Operations\r\nMalware-as-a-Service (MaaS) is a business model in the cybercrime world where malware authors offer their\r\nmalicious software and services to other cybercriminals. This model operates similarly to legitimate Software-as-a-Service (SaaS) platforms, where customers can subscribe to a service and access software without developing or\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 8 of 20\n\nmaintaining it themselves. The malware's creators develop and maintain the malicious software while providing it\r\nto \"affiliates\" or \"botnet operators\" who pay for access.\r\nBy examining DroidBot Command-and-Control (C2) infrastructures and malware configurations, evidence\r\nemerged suggesting the existence of a private MaaS network. This network operates with a sophisticated structure,\r\nenabling \"affiliates\" or \"botnet operators\" to access DroidBot and its advanced capabilities.\r\nAffiliates, Forums, and Offerings\r\nOur analysts successfully retrieved the initial post from a prominent Russian-speaking hacking forum, where the\r\npurported authors introduced their MaaS offering. This post, dated October 12, 2024, provides critical insights\r\nemployed by the creators of DroidBot.\r\nFigure 10 - Forum post advertising a new Android bot\r\nAccording to this post, we can extract the following information:\r\n“Allegedly” experienced malware developer: the user claims to have written the bot from scratch,\r\nsignalling advanced malware development skills and experience in the field. However, the forum account\r\nused to create this post has no reputation or history within the forum, and its registration dates back only a\r\nfew months. This discrepancy could raise questions about the claimed expertise and experience.\r\nComprehensive MaaS Offering: The service package includes a crypter (used to obfuscate malware) and\r\nserver access, indicating the infrastructure to support affiliates in evading detection and running operations\r\nsmoothly.\r\nPowerful Android features, including hVNC, allow remote control of infected devices while keeping\r\nthem hidden from the victim. ATS (Automated Transfer System) is also included, but we found nothing\r\nrelated to the ATS routine or similar approaches during our investigation.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 9 of 20\n\nNo restrictions against CIS countries, which could suggest that the authors do not originate from the CIS\r\nregion.\r\nIn the same forum post, the author included details of a Telegram channel for those interested in joining the group\r\nas affiliates. This channel provides additional information about DroidBot's features and the monthly subscription\r\nprice of $3000. The Threat Actors frequently share screenshots of specific details within the Command-and-Control (C2) panel, offering potential affiliates a glimpse of its capabilities.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 10 of 20\n\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 11 of 20\n\nFigure 11 - Contents from the official Telegram channel\r\nSharing screenshots with affiliates or potential members is common, especially within private groups. However,\r\nthere is always a risk of unintentionally revealing sensitive information. In one particular instance, a shared\r\nscreenshot inadvertently included the date, time, and weather information, which can be crucial in tracing the\r\noperators' origins.\r\nFigure 12 - Extracting details from a screenshot\r\nThe operating system language was set to Turkish, and the weather details matched conditions in certain regions\r\nof Turkey on that specific day, such as the capital city of Ankara.\r\nAnother compelling insight gathered from the Telegram channel, which further links the group to Turkey, is the\r\npublication of a specific link on November 22, 2024. The link's message simply stated, \"Problem with server,\" as\r\nshown in the screenshot below.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 12 of 20\n\nFigure 13 - Alert from TR-CERT\r\nThe link directs to an alert issued by TR-CERT Usom (https://www.usom.gov.tr/), the Computer Emergency\r\nResponse Team of the Republic of Türkiye. In this alert, as seen in the screenshot, one of the primary domains\r\nused by the group (dr0id[.]best) has been flagged as malicious and identified as a potential threat to the financial\r\nsector.\r\nThe domain dr0id[.]best presented some interesting data when we analyzed the associated infrastructure and its\r\nDNS-related data. According to the related subdomains found and the malware configurations extracted from\r\nmultiple samples, this domain seems potentially associated with a private MaaS operation (Malware-as-a-Service).\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 13 of 20\n\nFigure 14 - Extracting affiliates from DroidBot configuration\r\nWe reconstructed the following list of 17 affiliates/botnets, reported on the “IOCs Appendix”.\r\nA closer look into one botnet\r\nOur analysts successfully intercepted traffic from a specific botnet associated with DroidBot on an active MQTT\r\nbroker, which remained operational for several days. Leveraging the MQTT protocol’s real-time nature, we could\r\naccess and decrypt the live stream of botnet communications. This allowed us to extract valuable insights and\r\nstatistics regarding the botnet's size and geographical distribution.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 14 of 20\n\nFigure 15 - Decrypted MQTT communication\r\nBelow, we present key metrics derived from this analysis:\r\nMetric Value Description\r\nTotal unique\r\ndevice IDs\r\n776\r\nThe total number of distinct infected devices identified\r\nwithin the botnet.\r\nCountries affected\r\nUK, Italy, France,\r\nTurkey, Germany\r\nThe number of countries from which infected devices\r\nconnected to the MQTT broker.\r\nMost affected\r\ncountry\r\nUK The country with the highest number of infected devices.\r\nDroidBot C2 panel\r\nOur analysts obtained visibility into the associated C2 web panel where TAs can manage their botnet. The\r\nfollowing page, for example, provides the TAs with a simple interface for interacting with a specific infected\r\ndevice, giving the ability to:  \r\nCollecting valid banking credentials via injections (Overlay Attack).\r\nInteract with phone calls by forcing the hang-out or redirecting a specific call to a different number.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 15 of 20\n\nRemote access to the device via VNC capabilities (with the support of a “blank-screen” for masquerading\r\nthe malicious activities).\r\nSending fake push notifications\r\nRetrieve data (e.g., SMS messages, data intercepted via keylogger) and more.\r\nFigure 16 - DroidBot C2 panel\r\nThe C2 panel also includes a builder. A builder is a tool attackers use to generate customized malware versions\r\nautomatically. It allows modification of key settings, like the command-and-control (C2) server or specific\r\nfeatures, to create unique malware builds.\r\nThe builder is especially valuable in a MaaS operation because it allows multiple affiliates to create personalized\r\nmalware builds. Affiliates can adjust configurations, adding flexibility in distribution while keeping their attacks\r\nunique. This significantly boosts the scalability and reach of the malware, as each affiliate can generate distinct\r\nversions, making detection and defense more difficult for intelligence teams.\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 16 of 20\n\nFigure 17 - DroidBot builder\r\nConclusion\r\nThe malware presented here may not shine from a technical standpoint, as it is quite similar to known malware\r\nfamilies. However, what really stands out is its operational model, which closely resembles a Malware-as-a-Service (MaaS) scheme—something not commonly seen in this type of threat. If we recall significant cases such\r\nas Sharkbot, Copybara, or the more recent Toxic Panda, the infrastructure, code, and campaign planning were all\r\nhandled \"in-house.\" Droidbot, on the other hand, introduces a well-known but not widely spread paradigm in the\r\nmobile threat landscape. As mentioned earlier, while the technical difficulties are not so high, the real point of\r\nconcern lies in this new model of distribution and affiliation, which would elevate the monitoring of the attack\r\nsurface to a whole new level. This could be a critical point, as changing the scale of such an important data set\r\ncould significantly increase the cognitive load. If not efficiently supported by a real-time monitoring system, this\r\ncould severely overwhelm anti-fraud teams within financial institutions.\r\nAppendix\r\nIOCs\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 17 of 20\n\nDroidBot sample:\r\nHash App name\r\nfe8d76ba13491c952f7dd1399a7ebf3c Chrome\r\n2ce47ed9653a9d1e8ad7174831b3b01b Chrome\r\ne6f248c93534d91e51fb079963c4b786 Google Play Store\r\n0137a72f0cb49a73e13b30c91845d42d Chrome\r\n2f66f5bb7d3e8267b01cf1edfbf7384e e-ifade\r\nC2 servers:\r\nDomains\r\ndr0id[.]best\r\nk358a192.ala.dedicated.aws.emqxcloud[.]com\r\nie721f2d.ala.dedicated.aws.emqxcloud[.]com\r\nAffiliated/botnet:\r\nNames\r\nclient0 zoouzz\r\nazzouz antrax\r\nmalankov baykpriv\r\ngiulloit mars\r\nterror gaspar\r\nro bayk\r\nrustbridge turkfriend\r\npussy1, pussy2, pussy3, pussy4, etc. rustbridge2\r\ncms12\r\nMalware Target Apps\r\nDisclaimer In our standard TLP:WHITE reports, we typically refrain from publishing detailed lists of targeted\r\napplications. Such information is often shared separately with financial CERTs through TLP:AMBER reports to\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 18 of 20\n\nfacilitate timely distribution to associated financial institutions.\r\nHowever, we have made the list of targeted applications publicly available in this case. This decision was based on\r\nthe campaign's nature, which is not highly targeted but instead affects a broad range of mobile applications,\r\nincluding many of the most widely recognized banking institutions. The goal is to enhance awareness and promote\r\nswift detection and mitigation across the financial sector.\r\nPackage Names\r\ncom.arkea.android.application.cmb com.axabanque.fr\r\ncom.bancocajasocial.geolocation com.bankinter.launcher\r\ncom.bbva.bbvacontigo com.binance.dev\r\ncom.boursorama.android.clients com.caisseepargne.android.mobilebanking\r\ncom.cajasur.android com.cic_prod.bad\r\ncom.cm_prod.bad com.CredemMobile\r\ncom.fullsix.android.labanquepostale.accountaccess com.grupocajamar.wefferent\r\ncom.kraken.trade com.kubi.kucoin\r\ncom.kutxabank.android com.latuabancaperandroid\r\ncom.lynxspa.bancopopolare com.mediolanum.android.fullbanca\r\ncom.mootwin.natixis com.ocito.cdn.activity.banquelaydernier\r\ncom.ocito.cdn.activity.creditdunord com.okinc.okcoin.intl\r\ncom.okinc.okex.gp co.mona.android\r\ncom.rsi com.sella.BancaSella\r\ncom.targoes_prod.bad com.tecnocom.cajalaboral\r\ncom.unicredit com.vipera.chebanca\r\ncom.wrx.wazirx es.bancosantander.apps\r\nes.caixagalicia.activamovil es.caixaontinyent.caixaontinyentapp\r\nes.cecabank.ealia2103appstore es.evobanco.bancamovil\r\nes.ibercaja.ibercajaapp es.lacaixa.mobile.android.newwapicon\r\nes.openbank.mobile es.pibank.customers\r\nes.santander.Criptocalculadora fr.banquepopulaire.cyberplus\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 19 of 20\n\nPackage Names\r\nfr.bred.fr fr.creditagricole.androidapp\r\nfr.lcl.android.customerarea io.metamask\r\nit.bcc.iccrea.mycartabcc it.bnl.apps.banking\r\nit.carige it.copergmps.rt.pf.android.sp.bmps\r\nit.creval.bancaperta it.icbpi.mobile\r\nit.nogood.container it.popso.SCRIGNOapp\r\nmobi.societegenerale.mobile.lappli net.bnpparibas.mescomptes\r\nnet.inverline.bancosabadell.officelocator.android posteitaliane.posteapp.appbpol\r\nposteitaliane.posteapp.apppostepay www.ingdirect.nativeframe\r\ncom.garanti.cepsubesi tr.gov.turkiye.edevlet.kapisi\r\ncom.ykb.android com.ziraat.ziraatmobil\r\ncom.pttfinans com.fibabanka.Fibabanka.mobile\r\ncom.pozitron.iscep com.mobillium.papara\r\ncom.vakifbank.mobile com.ingbanktr.ingmobil\r\nfinansbank.enpara com.denizbank.mobildeniz\r\ntr.com.sekerbilisim.mbank com.finansbank.mobile.cepsube\r\ncom.tmobtech.halkbank\r\nSource: https://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nhttps://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cleafy.com/cleafy-labs/droidbot-insights-from-a-new-turkish-maas-fraud-operation"
	],
	"report_names": [
		"droidbot-insights-from-a-new-turkish-maas-fraud-operation"
	],
	"threat_actors": [
		{
			"id": "01cb49a1-0a16-4280-ac15-426622877833",
			"created_at": "2023-01-06T13:46:38.348049Z",
			"updated_at": "2026-04-10T02:00:02.937065Z",
			"deleted_at": null,
			"main_name": "TOXIC PANDA",
			"aliases": [],
			"source_name": "MISPGALAXY:TOXIC PANDA",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ee57f028-b843-4066-b3fb-fd95377f25a4",
			"created_at": "2022-10-25T16:07:23.284554Z",
			"updated_at": "2026-04-10T02:00:04.518724Z",
			"deleted_at": null,
			"main_name": "Toxic Panda",
			"aliases": [],
			"source_name": "ETDA:Toxic Panda",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434433,
	"ts_updated_at": 1775792022,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84e84df1e9972c2810501b2e66f8a9c7ad84c36b.pdf",
		"text": "https://archive.orkl.eu/84e84df1e9972c2810501b2e66f8a9c7ad84c36b.txt",
		"img": "https://archive.orkl.eu/84e84df1e9972c2810501b2e66f8a9c7ad84c36b.jpg"
	}
}