{
	"id": "763a545f-5f31-4f9b-a74c-8192b0693b26",
	"created_at": "2026-04-06T00:19:59.892087Z",
	"updated_at": "2026-04-10T13:11:35.921804Z",
	"deleted_at": null,
	"sha1_hash": "b1a5da63a4a1fa9005e4191c103d0d93cf8913ab",
	"title": "Aberebot: New Banking Trojan Targets Users Via Phishing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2806394,
	"plain_text": "Aberebot: New Banking Trojan Targets Users Via Phishing\r\nPublished: 2021-07-30 · Archived: 2026-04-05 20:13:08 UTC\r\nUpdate: The Threat Actor is now actively working on the next version of the malware. We will continue to track the actor\r\nfor any further updates.\r\nAberebot malware author discussing the new version of malware on a cybercrime forum after Cyble reversed\r\ntheir malware and published findings.\r\nWorld's Best AI-Native Threat Intelligence\r\nDuring Cyble’s routine Open-Source Intelligence (OSINT) research, we came across a malware posted by\r\na researcher on Twitter. The malware is a new banking trojan variant named Aberebot that steals sensitive information from\r\ninfected devices. This variant share similar behavioral patterns with other banking Trojans such as Cerberus. In addition to\r\nthese similarities, the trojan also steals credentials using phishing, targeting customers of 140+ banks in 18 countries. \r\nAccording to an investigation conducted by the Cyble Research Labs, the Threat Actor (TA) behind Aberebot is using\r\nGitHub to store the phishing pages. This is because, adding the webpages to the APK will drastically increase the file size.  \r\nWe suspect that the TAs are targeting users via a range of vectors such as phishing campaigns or third-party app\r\nstores. Additionally, in this case we found the malicious Trojan app masquerading as the legitimate Google Chrome app. \r\nTechnical Analysis \r\nAPK Metadata Information:  \r\nApp Name: Chrome \r\nPackage Name: com.example.autoclicker \r\nSHA256 Hash: 8bef7b86043f758a775a9cf4080f5b87d50df4778d03ecd94989f98cc5c91e75 \r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 1 of 11\n\nFigure 1: APK Information of the Malware Sample Analyzed\r\nThe malicious app requests 10 permissions in the manifest file. Out of these, 7 are dangerous and are listed in Table 1. \r\nPermission Name  Description \r\nandroid.permission.READ_CONTACTS  Access to phone contacts  \r\nandroid.permission.READ_SMS  Access SMS data  \r\nandroid.permission.RECEIVE_MMS   Receive and process MMSes \r\nandroid.permission.RECEIVE_SMS  Receive and process SMSes \r\nandroid.permission.SEND_SMS  Send SMSes \r\nandroid.permission.WRITE_SMS \r\nModify/write the SMS data stored in the\r\ndevice \r\nandroid.permission.BIND_ACCESSIBILITY_SERVICE  Monitor device screen activities \r\nTable 1 Permissions Requested by the Trojan  \r\nOnce the user enables the permissions listed in Table 1, the malware can steal information such as\r\ncontacts, OTPs, credentials etc., that are available in the infected device. \r\nDuring our static analysis, we identified the entry point classes of the Trojan. The two classes which can be used to start the\r\ntrojan are: \r\n1. com.example.autoclicker.MainActivity: This class is launched when the user clicks on the icon of the malicious\r\nChrome app. \r\n2. com.example.autoclicker.SmsReceiver – This class is initiated when the victim’s device receives an SMS/MMS. \r\nUpon analyzing from the entry points, we observed that the Trojan uses an obfuscation technique to\r\nrestrict Reverse Engineering (RE) and to avoid detection. It also uses special characters for class names to make the RE\r\nmore complex. In addition, this app has multiple encrypted strings in various parts of the code, as shown in the Figure 2. \r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 2 of 11\n\nFigure 2: Code with Encrypted Strings \r\nBy going through the malware’s obfuscated code, we found that it uses a combination of Advanced Encryption Standard\r\n(AES) and string operations for encryption.  \r\nAES is a symmetric block encryption that uses a key to encrypt/decrypt the data. In this case, the app uses different keys for\r\ndecrypting suspicious encrypted strings. Some of these keys are shown in the code below. \r\nFigure 3: Code to Invoke Decryption Function with the Key \r\nFigure 4 showcases the decryption code used by the Aberebot Trojan.  \r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 3 of 11\n\nFigure 4: Code for the Decryption Function \r\nUpon decrypting the strings, we found several suspicious strings such as URLs, commands, etc., as shown in Table 2. \r\nhxxps://api.telegram[.]org/bot1900116382:AAHdStvE0Pr4vI7ZEHj5BdFJAlCOvaovRRY/getUpdates \r\nhxxps://api.telegram.org/bot1900116382:AAHdStvE0Pr4vI7ZEHj5BdFJAlCOvaovRRY/sendMessage?\r\nchat_id=-561929911\u0026text= \r\nhxxps://github.com/yutronsayshi/aberebot234/raw/main/ \r\nContacts%0A————–%0A \r\n%0ABanking Apps%0A——————–%0A \r\nit_it.bnl.apps.banking.html \r\nCom.unocoin.unocoinwallet.html \r\nTable 2 : Subset of suspicious strings after decryption \r\nAs per our analysis, we found that the Trojan constantly communicates with a Command and Control (C\u0026C) server hosted\r\non a Telegram bot account.  \r\nWe also observed that the app steals information based on the commands from the Telegram\r\nbot. The Aberebot Trojan receives commands from\r\nthe URL: hxxps://api.telegram[.]org/bot1900116382:AAHdStvE0Pr4vI7ZEHj5BdFJAlCOvaovRRY/getUpdates \r\nData is sent as a message to the Telegram bot using the\r\nURL: hxxps://api.telegram[.]org/bot1900116382:AAHdStvE0Pr4vI7ZEHj5BdFJAlCOvaovRRY/sendMessage?\r\nchat_id=-561929911\u0026text= \r\nThe trojan then proceeds to perform malicious activities based on the C\u0026C server commands. Some of the malicious\r\nactivities that Aberebot is capable of performing are listed below. \r\nMalicious Capabilities: \r\n1. Collecting contact information from the device: The code used to collect contact data on\r\nthe victim’s device’s is shown in the figure below. \r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 4 of 11\n\nFigure 4: Code for the Decryption Function \r\nThe contact data is uploaded with tag: – Contacts%0A————–%0A \r\n2.  Intercepting OTP: The malware is capable of receiving SMSes and uploading the ones\r\nthat contain numbers, as shown below. \r\nFigure 6: Code to Collect OTPs from SMSes Received \r\nOTP data upload tag: – New SMS Received!%0ABOT ID: \r\n3. Collecting the list of installed applications from the device \r\n4. Sending SMS messages to numbers as per the TA’s commands, as shown in the figure 7. \r\nFigure 7: Code to Send SMS Messages Based on TAs Commands\r\n5. Stealing credentials of social media accounts and banking portals from the victim device. \r\n6. Monitoring the victim device by leveraging the BIND_ACCESSIBILITY_SERVICE \r\nBIND_ACCESSIBILITY_SERVICE is a permission that allows the AbereBot to monitor the device’s screen.  \r\nTechniques used to steal credentials of social media and banking accounts: \r\nThe banking Trojan uses phishing pages to steal credentials. The malware author has stored the phishing pages as HTML in\r\na GitHub repository: hxxps://github.com/yutronsayshi/aberebot234/raw/main/ \r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 5 of 11\n\nFigure 8: GitHub repo with Fake webpages\r\nThe malware checks for the geolocation of the device and then downloads fake HTML pages based on it. Based on the\r\ncommand from C\u0026C server, it shows the counterfeit HTML content on a WebView. \r\nWebView is view used by Android to display web pages inside applications. \r\nThe below figure depicts the code used to show the HTML content using WebView. \r\nFigure 9: Code to display fake page using web view\r\nUpon analyzing the HTML pages, we observed that the credentials are uploaded to the C\u0026C server in Telegram. The below\r\nfigure shows the Gmail phishing page and the credential upload code. \r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 6 of 11\n\nFigure 10: Fake Gmail page and code to send credentials\r\nAbusing BIND_ACCESSIBILITY_SERVICE permission:\r\nUpon enabling the BIND_ACCESSIBILITY_SERVICE permission, the malware leverages this capability to enable\r\nall other permissions for itself. It constantly monitors the device screen using the same permission. Along with that, the app\r\nrestricts the user from modifying the app settings. The activities performed by abusing the\r\nBIND_ACCESSIBILITY_SERVICE permission are: \r\n1. Restricting the user to enter or modify the app’s settings page \r\n2. Constantly checking for targeted banking/social apps on the screen, and if any targeted app is present on the screen,\r\nthe malware shows the phishing page related to it for credential stealing. \r\nAdditional actions conducted by Aberebot:  \r\n1. Tricking the user with legitimate-looking Google Chrome icon and name, as shown in figure 11. \r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 7 of 11\n\nFigure 11: The Aberebot Banking Trojan Masquerades as Google Chrome\r\n2. Hiding the application icon from the device home screen after the app starts. The code used for hiding the icon is\r\nshown in figure 12. \r\nFigure 12: Code Used to Hide the Icon\r\nCountries targeted by Aberebot: Austria, Australia, Canada, Czech Republic, Germany, Spain, France, Hong Kong,\r\nIndia, Italy, Japan, Netherlands, New Zealand, Poland, Romania, Turkey, the United Kingdom, the United States of\r\nAmerica. \r\nThe Aberebot malware targets customers of 140+ banks, including BCR Bank, Australia and New Zealand Banking\r\nGroup, US Bank, SBI, etc. In addition, apart from banks, other targeted\r\naccounts include PayPal, MobiKwik, Unocoin wallet and Gmail, etc. \r\nTargeted Banks in India:\r\nAccording to our findings, the malware uses phishing pages specifically designed for mobiles users. The State Bank of\r\nIndia (SBI), HDFC Bank, Axis Bank, Bank of Baroda, ICICI Bank, IDBI Bank, and Union Bank are some of\r\nthe India-based banks targeted by Aberebot.  \r\nThe figure below shows the malware’s phishing page that has been designed to resemble the banking page of SBI, along\r\nwith the code for stealing credentials from unsuspecting users. \r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 8 of 11\n\nFigure 13: Phishing Page Designed to Target SBI customers\r\nThe image below showcases the comparison between SBI’s legitimate banking portal and Aberebot’s malicious\r\nSBI phishing portal.  \r\nFigure 14: Comparison of the Original SBI portal with the Fake SBI portal designed by Aberebot’s creator \r\nAlong with banks, Aberebot Trojan is also targeting financial applications such as MobiKwik and Oxigen Wallet, etc.\r\nThe MobiKwik’s phishing page is shown in the figure given below. \r\nFigure 15: Malicious MobiKwik’s Phishing Page Designed by Aberebot’s Author\r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 9 of 11\n\nConclusion \r\nOur research indicates that TAs are increasingly introducing new malware techniques to evade detection. Banking threats are\r\nincreasing with every passing day and are being enhanced with sophisticated techniques. Aberebot is one\r\nsuch example. According to our research, these types of malware are only distributed via sources other than Google Play\r\nStore. As a result, it’s imperative for consumers to practice cyber hygiene across their mobile\r\ndevices and online banking applications. \r\nRecommendations\r\n1. If you find this malware in your device, uninstall it immediately. \r\n2. Use the shared IoCs to monitor and block the malware infection. \r\n3. Keep your anti-virus software updated to detect and remove malicious software. \r\n4. Keep your system and applications updated to the latest versions. \r\n5. Use strong passwords and enable two-factor authentication. \r\n6. Download and install software only from registered app stores. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic   Technique ID   Technique Name \r\nDefense Evasion  T1406  Obfuscated Files or Information \r\n Discovery \r\nT1421 \r\nT1430  \r\nSystem Network Connections Discovery  \r\nLocation Tracking \r\n Collection \r\nT1507 \r\nT1412 \r\nT1432  \r\nNetwork Information Discovery  \r\nCapture SMS Messages  \r\nAccess Contact List \r\nCommand and Control \r\nT1571 \r\nT1573 \r\nNon-Standard Port \r\nEncrypted Channel \r\nImpact  T1447  Delete Device Data \r\nNetwork Effects  T1449  Exploit SS7 to Redirect Phone Calls/SMS \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescr\r\n8bef7b86043f758a775a9cf4080f5b87d50df4778d03ecd94989f98cc5c91e75  SHA256 \r\nHash\r\nAPK\r\nmalw\r\na1e56b54768a70b73f131ef3508bd47fff20ae7f80856a11a83894fe686d8cc1  SHA256 \r\nHash\r\nsecon\r\nsampl\r\nhxxps://api.telegram[.]org/bot1900116382:AAHdStvE0Pr4vI7ZEHj5BdFJAlCOvaovRRY/getUpdates  URL \r\nTelegr\r\nBot U\r\nhxxps://api.telegram[.]org/bot1900116382:AAHdStvE0Pr4vI7ZEHj5BdFJAlCOvaovRRY/sendMessage?\r\nchat_id=-561929911\u0026text= \r\nURL \r\nTelegr\r\nBot U\r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 10 of 11\n\nhxxps://github.com/yutronsayshi/aberebot234/raw/main/  URL \r\nGitHu\r\nRepo \r\nAbout Us \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure\r\nin the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by\r\nY Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best\r\nCybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,\r\nand India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  \r\nSource: https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nhttps://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/"
	],
	"report_names": [
		"aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434799,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1a5da63a4a1fa9005e4191c103d0d93cf8913ab.pdf",
		"text": "https://archive.orkl.eu/b1a5da63a4a1fa9005e4191c103d0d93cf8913ab.txt",
		"img": "https://archive.orkl.eu/b1a5da63a4a1fa9005e4191c103d0d93cf8913ab.jpg"
	}
}