{ "id": "d612116c-e081-4940-b2e4-4f556c5f346e", "created_at": "2026-04-06T00:09:17.727686Z", "updated_at": "2026-04-10T03:30:32.916648Z", "deleted_at": null, "sha1_hash": "aa9477aa7e6601aceccda56f2dd89061228a23af", "title": "A Look Into The New Strain Of BankBot", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1701575, "plain_text": "A Look Into The New Strain Of BankBot\r\nBy Dario Durando\r\nPublished: 2017-09-19 · Archived: 2026-04-05 18:37:32 UTC\r\nIntroduction\r\nBankBot is a family of Trojan malware targeting Android devices that surfaced in the second half of 2016. The\r\nmain goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash\r\nplayer updaters, android system tools, or other legitimate applications. Once installed, it hides itself and then\r\ntricks the user into typing his or her credentials into fake bank web pages that have been injected onto the device’s\r\nscreen.\r\nThe original code of BankBot was divulged on a Russian forum in late 2016, and you can read more about that\r\nhere.\r\nOver the past few months, new strains of this infamous Android malware family have surfaced in third-party APK\r\nmarkets, as well as in the official Google Play store. FortiGuard Labs decided to analyze some of them, and in this\r\nreport, I will discuss its evolution over the past 10 months.\r\nAnalysis\r\nIn most cases, the application poses as a Flash Player or some kind of Android System tool. Upon installation, it\r\nrequires a very large number of permissions that look very suspicious. Moreover, from the Manifest we can see\r\nthat the application is predisposed to ask for even more permissions upon execution.\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 1 of 10\n\nFigure 1: Permissions\r\nIn addition, the classes in the .dex files are usually named using random words that are connected in some way, as\r\nif they were picked in succession from a glossary. This is the only sort of obfuscation present in the application\r\nand it does not do a great job at it.\r\nFigure 2: Classes\r\nThis specific version of Bankbot has a relatively low detection rate, at around 15-20 hits on VirusTotal. This is in\r\nspite of the fact that it uses no obfuscation procedures to hide strings or functionalities.\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 2 of 10\n\nFigure 3: VirusTotal Detections\r\nFigure 4: Admin Request\r\nOnce installed, the application demands Device Admin privileges. In most cases, this request is accompanied by\r\nan explanation in Turkish, which suggests that Turkey is the targeted region for this malware campaign.  \r\nOnce these privileges have been obtained, the application hides by deleting its icon. It then sends device\r\ninformation to the CC server, such as like IMEI, contacts, and SMS messages sent and received.    \r\nThe application also checks to see if any apps from Turkish financial institutions has been installed on the device.\r\nIf so, it then displays a webview downloaded from the server of the specific banking site spoofing-page. \r\nFigure 5: Set WebView Injection\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 3 of 10\n\nFigure 6: Bank Apps\r\nWhile the banking apps that we checked vary from sample to sample, this campaign seems to be primarily\r\ntargeting Turkish financial institutions, with some Russian exceptions. It is interesting to note that even when all\r\nof the applications are Turkish, the two apps checked in the original version of BankBot (privatbank and ru.mw)\r\nnever disappear. Apparently, the authors of this campaign were over-excited with the Ctrl + C and Ctrl + V when\r\ncopying and pasting code from the original malware and did not think to clean the code before repurposing it.\r\nIn fact, the code of this sample is very much similar to the code leaked in December 2016, with very few\r\nmodifications. The two biggest and most evident differences are: Firstly, the injection technique supports more\r\nthan the two test applications of the published tutorial. And second, it performs a check on all outgoing calls,\r\ncomparing the number to a hardcoded list of numbers.  \r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 4 of 10\n\nFigure 7: Telephone Number List \r\nAfter a quick web search, it was easy to determine that all of these phone numbers it is searching for are help-lines\r\nconnected to a number of Turkish financial institutions. The author of the malware made sure to hardcode multiple\r\nways in which a number could be formatted (with and without country code, and with and without multiple\r\nleading zeros).\r\nFigure 8: Numbers Format\r\nIf the number called by the victim corresponds to any number on the list, the application shuts down the call\r\nimmediately by calling setResultData(null) on the broadcastReceiver.\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 5 of 10\n\nFigure 9: Exit Call\r\nConclusion\r\nThe BankBot family has never been famous for having advanced code. These new campaigns that resurface from\r\ntime to time tend to confirm that trend. However, this is not the problem with this malware. The ease with which\r\nanyone can obtain and modify it to create an attack is the main reason why this family remains a real threat.\r\nThe samples analyzed for this blogpost ranged from 3 months to less than a week old, showing that this malware\r\nfamily is still very much active and alive.\r\nThe CC servers used by this version of Bankbot are not obfuscated, and many of them were taken down merely\r\ndays after being set up. However, it seems that nearly every month a new version of this campaign hits some new\r\ncountry. While it does not last long, it invariably creates new victims. Over the past few months, we have detected\r\nmore and more obfuscated versions of BankBot lurking in third-party APK stores as well as in the official Google\r\nPlay store.\r\nOur customers are protected from this threat: Fortinet detects this malware as Android/Bankbot.HH!tr and\r\nAndroid/Bankbot.AA!tr.\r\nFortiGuard Labs has been monitoring this family since its first appearances in 2016, and will continue to track it\r\nand share its findings as new details come to light.\r\n-= FortiGuard Lion Team =-\r\nAppendix\r\nTargeted Bank apps list\r\nru.sberbankmobile\r\nru.sberbank_sbbol\r\nru.alfabank.mobile.android\r\nru.alfabank.oavdo.amc\r\nru.mw\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 6 of 10\n\nua.privatbank.ap24\r\ncom.ziraat.ziraatmobil\r\ncom.ziraat.ziraattablet\r\ncom.tmobtech.halkbank\r\ncom.vakifbank.mobile\r\ncom.pozitron.vakifbank\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.akbank.softotp\r\ncom.akbank.android.apps.akbank_direkt_tablet\r\ntr.com.sekerbilisim.mbank\r\ncom.teb\r\ncom.pozitron.iscep\r\ncom.softtech.isbankasi\r\ncom.ykb.android\r\ncom.ykb.androidtablet\r\ncom.tmob.denizbank\r\ncom.tmob.tabletdeniz\r\ncom.garanti.cepsubesi\r\nbiz.mobinex.android.apps.cep_sifrematik\r\ncom.htsu.hsbcpersonalbanking\r\ncom.ingbanktr.ingmobil\r\ncom.magiclick.odeabank\r\ncom.finansbank.mobile.cepsube\r\nfinansbank.enpara\r\ncom.pozitron.albarakaturk\r\ncom.kuveytturk.mobil\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 7 of 10\n\nIOC\r\nURLS\r\nhXXp://b1k51 dot gdn\r\nhXXp://b1j3aas dot life\r\nhXXp://wechaatt dot gdn\r\nhXXp://10as05 dot gdn\r\nhXXp://ch0ck4 dot life\r\nhXXp://fatur1s dot life\r\nhXXp://b5k31 dot gdn\r\nhXXp://erd0 dot gdn\r\nhXXp://b1v2a5 dot gdn\r\nhXXp://b1502b dot gdn\r\nhXXp://elsssee dot gdn\r\nhXXp://kvp41 dot life\r\nhXXp://servertestapi dot ltd\r\nhXXp://taxii dot gdn\r\nhXXp://p0w3r dot gdn\r\nhXXp://4r3a dot gdn\r\nHashes\r\ne5ac8b77e264c68a38be42bd16b1253b7cf96a1258444040ed6046c9096ecd08\r\n451b4cf00e36bf164b4e721d02eab366caf85690d243a539eba5a4bbd1f9e5fa\r\n48bd70850a04a26db239e47611ce7e660c2b08b2dd56d81ed7a608e2659e1d7c\r\n7960bb11e52516134774e8a262c6d78e5683ba9814015eb12b076e7d4e188c4b\r\nc5fbf3f7ddf354a99abbb7652254032d11682106d004373b509981c7a77d1bef\r\nf4db61ab1a314955e4134ec6fdcf9bd47ff8141928a1e467c052876327e4ef8b\r\nab27065953ff7329c261a27149e2ce63e9a170714df7619b011db89eb5f68069\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 8 of 10\n\n5126bd2a0e6b74178994c17102e4e18ffe1ab6f398a69225913f60eccef7a652\r\ne56acc1eedc47854c89a02b93ae5bd078e91001dd85e2c7739b649beddbee885\r\naa63ce659eb3054f00656b2a4fa4bbc14f421d7b2ccb99d333f619613d75fc8f\r\n20e838966993b73f2d65df993fb21d85ab186702a6b1732aba1ea3a98a79b22a\r\nf8de1e8ed70f77dd792035e0cdd3e5c026feece6790f6e2266f8d5f37198b8fa\r\n43c26e071d22e3e14efb669705ba9113067894e9035a051b76b3632330ef8884\r\nd7699cb3c4ec67f3cbe04701360da36622408b70b8d5ec413474d2a83b7172d9\r\na3ad2f7e3fc04db4e1c919f9df4235b8a1728ef4f4d2e5bb30905262719bbde5\r\n453ba4a1d229049b6bd415192cafda79238a4f2b1e4d1450174903284a304d33\r\nc59a2b3bdb8363d9610ed3bc5cd707ee25a2384e3e2e74bd1ad5bd16b69fa014\r\nee83ac9a851638f77693eea48ba8034c6d15e630ddb9ad19e204bfa3fe881dc6\r\n26827b3db72e07ab7649bb21b89dbb5376fcf76de1849ae41265965f80d5ecf7\r\n501e88a12be8fdba7d25472f08437308c313dd70aaeac4d162bbb6836ff4bc4a\r\n09e897341d910b44884a9e6d9d2f0bc39dcf2a50e0f35062b07c5f946e5c5b66\r\n876fa3268d5f15be13f9e6021133811062b90d6830f25b8b297be98f27d747f0\r\ne02112cf09522ee7231229dabf331bf725531945d56865416355211d45ddb849\r\n1ab4e5a08f4bf5f95b2462ee12da893851a715b5569603fb95d5f2f7bf2293de\r\n38b5f8c4ddcb2b53aaa33d19efdb6ea6e489aafa0e906da57345c3ca5f01ffa7\r\nc17cfc49391472ad0a85e0bde934bf289d1402c86cf8353ce5c9296c350a73d6\r\nef1ae5f0ed8a8216dda6ed2dec979e799bfd58fb548a8acb941407b950673ae9\r\ndb2d7ca6c1317e5697d0bc61f67bc38316888d20ee9dba32f7165bf23f177061\r\nfe26d6a0e3425d9622b2aef7c4199b0d9569f849453b12cb75ba42e5f002dd67\r\ne3b764ba2795af097efc554331bd9c8a804b5a030dfd495cc8169ce331ac5cad\r\n009220919c4ecf5e72f7be4886a454d11b951dbc488656a811cd7517ad4c0c35\r\n804fc95f250dc275e805fdabd862bcc3a2b60796915c3da575722015f64adf4e\r\n15d31751bd91ee0082f75f581f099e2f986a7c7ccc2748cdd8a0adf9320d748a\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 9 of 10\n\n8a8fe94c0e4f3fcaaf1f49aa27b13908c01a7574d31a84d55683f9cd1854d211\r\n27c4263d9030435a6f107878c0ba50998cf82d5852618b989acab9843df55d62\r\n39de72ff4b93565cd25fa303b8f17dcaabff101c138a0a5282c747d15b70053f\r\n31c33f8102669b5ffc117ebd076646cefb0ae6b7ea12d1779ebd9d64a2de70d3\r\nf532275eb109ffb5ef35ec42c5445b6e9cdaadad099c977aab8841664cdab292\r\nd2ffa12048169cf9eba113dbb47b78708e83d9b5e778276a40100617e0dbbbdc\r\nSign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging\r\nthreats.\r\nSource: https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nhttps://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html" ], "report_names": [ "a-look-into-the-new-strain-of-bankbot.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434157, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/aa9477aa7e6601aceccda56f2dd89061228a23af.pdf", "text": "https://archive.orkl.eu/aa9477aa7e6601aceccda56f2dd89061228a23af.txt", "img": "https://archive.orkl.eu/aa9477aa7e6601aceccda56f2dd89061228a23af.jpg" } }