{
	"id": "7d4fabee-4210-4971-bcd1-9f742abfab36",
	"created_at": "2026-04-06T00:13:22.103981Z",
	"updated_at": "2026-04-10T03:30:32.781727Z",
	"deleted_at": null,
	"sha1_hash": "8c6f0b320a7a58510cc61af39f8a239e75a35b0d",
	"title": "Researchers Discover New Android Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 978394,
	"plain_text": "Researchers Discover New Android Banking Trojan\r\nBy Catalin Cimpanu\r\nPublished: 2017-09-18 · Archived: 2026-04-05 14:02:34 UTC\r\nSecurity researchers have detected a new Android banking trojan by the name of Red Alert 2.0 that was developed during\r\nthe past few months and has been recently rolled out into distribution.\r\nAccording to a report shared with Bleeping Computer before publication, security researchers from SfyLabs first saw ads for\r\nthis trojan on a hacking forum for Russian-speaking criminals during the spring.\r\nDuring the past weeks, researchers have identified the first apps infected with this new threat and have tracked down C\u0026C\r\nservers used to manage the banking trojan.\r\nhttps://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nRed Alert has not made it on the Play Store (yet)\r\nAll the apps spreading Red Alert were hosted on third-party Android app stores. SfyLabs told Bleeping Computer that no\r\nRed Alert app made it on the official Google Play Store at the time of writing.\r\nWhile Red Alert is a new addition to the mobile banking scene, the trojan works similarly to past threats. The trojan waits in\r\nhiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on\r\ntop of the original app, alerting the user of an error, and asking him to reauthenticate.\r\nRed Alert then collects the user's credentials and sends them to its C\u0026C server.\r\nPeople in command of Red Alert's control panel take these credentials and access their victims' bank accounts to make\r\nfraudulent transactions, or the victim's social media apps, to post spam or give surreptitious likes to other content.\r\nRed Alert also includes a feature to collect the contact lists from infected devices. In addition, to bypass two-factor\r\nauthentication and suppress any notifications, the trojan also takes over the infected phone's SMS function.\r\nAccording to a changelog in Red Alert's forum ads, the most recent feature added to trojan's codebase is its ability to\r\nautomatically block incoming phone calls from numbers associated with banks and financial institutions.\r\nRed Alert rented on hacking forums for $500\r\nCengiz Han Sahin, CEO and founder of SfyLabs, tells Bleeping Computer that the Red Alert author is renting the trojan for\r\nthe lowly price of $500.\r\nDevelopment is also very active. \"New HTML overlays are created almost every 2 days,\" Sahin told Bleeping. In addition,\r\nRed Alert's author is also working on SOCKS and VNC modules that would add remote control features to infected devices,\r\nenhacing Red Alert with RAT-like features.\r\nhttps://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/\r\nPage 3 of 5\n\nSahin said the Red Alert caught his team's eye because it's one of the few Android banking trojans that's been written from\r\nscratch in the past few years.\r\nAlmost all recent Android banking trojans such as Exobot, BankBot, or AgressiveX AndroBot, are based on malware that\r\nwas previously available on the malware market.\r\nRed Alert works on all Android versions up to 6.0\r\nSahin tells Bleeping that Red Alert can target smartphones running Android versions up to and including 6.0\r\n(Marshmallow).\r\nExperts say that Red Alert comes with support for showing HTML overlays for over 60 banking and social media apps.\r\nThe trojan doesn't seem to target users in a particular country but uses a shotgun approach, providing overlays for the most\r\nwell-known banks and financial institutions.\r\nThis random targeting is most likely because of the trojan's rental system, as Red Alert's author focuses on providing\r\nenticing features for a wide group of potential buyers.\r\nA SfyLabs blog post will be made available later today at this URL and will include a list of targeted apps and IOCs.\r\nAs always, users can avoid most Android malware by not using third-party app stores and sticking to apps only available on\r\nthe Play Store. Google's official app store may not be perfect, but it's way better than any shady Android app store.\r\nImage credits: SfyLabs\r\nhttps://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/\r\nhttps://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/"
	],
	"report_names": [
		"researchers-discover-new-android-banking-trojan"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434402,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8c6f0b320a7a58510cc61af39f8a239e75a35b0d.pdf",
		"text": "https://archive.orkl.eu/8c6f0b320a7a58510cc61af39f8a239e75a35b0d.txt",
		"img": "https://archive.orkl.eu/8c6f0b320a7a58510cc61af39f8a239e75a35b0d.jpg"
	}
}