{ "id": "a47bb34a-63ee-445a-81c0-a2bfaad4e1f8", "created_at": "2026-04-06T01:30:57.820027Z", "updated_at": "2026-04-10T03:30:33.863175Z", "deleted_at": null, "sha1_hash": "c46abcfdf47062d8ee75a683c199a4fd5fd265d0", "title": "BasBanke: Trend-setting Brazilian banking Trojan", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 290835, "plain_text": "BasBanke: Trend-setting Brazilian banking Trojan\r\nBy GReAT\r\nPublished: 2019-04-04 · Archived: 2026-04-06 01:05:44 UTC\r\nBasBanke is a new Android malware family targeting Brazilian users. It is a banking Trojan built to steal financial\r\ndata such as credentials and credit/debit card numbers, but not limited to this functionality. The propagation of this\r\nthreat began during the 2018 Brazilian elections, registering over 10,000 installations to April 2019 from the\r\nofficial Google Play Store alone.\r\nThis malware can perform tasks such as keystroke logging, screen recording, SMS interception, and the theft of\r\ncredit card and financial information. To trick users into downloading the malware, the authors advertise it via\r\nFacebook and WhatsApp messages. Campaign’s new URLs redirect victims either to the official Google Play\r\nStore or to a website hosting malicious APK packages.\r\nMalicious applications used to distribute BasBanke, hosted in the Google Play Store.\r\nThe malicious applications hosted in Google Play Store disguise themselves as applications with supposed\r\nfunctionality such as a secure QR reader, a fake app for a real travel agency with travel deals, and – implementing\r\na well-known trick – as an application to “see who visited your profile.” The most widespread malicious\r\napplication is a fake version of CleanDroid, first announced in a paid advertisement on Facebook, and linking to\r\nthe application hosted on the Play Store. This “miraculous” application promises to protect the victim’s device\r\nagainst viruses, to optimize memory space, and to save data when using a 3G or 4G connection. In reality it is a\r\nbanking Trojan.\r\nhttps://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/\r\nPage 1 of 4\n\nThe malicious CleanDroid application shown in a Facebook advertisement. Source: Defesa Digital\r\nThe number of targeted banking applications and websites is quite significant. A considerable number of Brazilian\r\nfinancial institutions and other popular websites such as Spotify, YouTube, and Netflix are on the target list.\r\nHowever, when it comes to stealing banking credentials, metadata such as the device name, IMEI, and the\r\ntelephone number used by the victim are sent to a remote C2. Why pay special attention to this data? Well,\r\nfraudsters need it to mimic legitimate access to the account of the victim.\r\nhttps://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/\r\nPage 2 of 4\n\nMetadata extracted from the phone and sent to the remote C2.\r\nDepending on the version of the malware, we found different targets – and they are all financial institutions. In\r\naddition, an extensive list of keywords defines what other brands or websites will trigger the keylogging\r\nprocedure.\r\nWe have previously found a few malicious campaigns similar to this but with significantly reduced distribution\r\nwhen compared to BasBanke. Another difference is that BasBanke uses Facebook and WhatsApp as a mass\r\ndistribution vector. Also, it appears to have sparked new ideas among Brazilian cybercriminal crews, by showing\r\nhow easy it is to infect an Android device with a malicious application hosted in the official store. The attackers\r\nbehind BasBanke have proved that the Play Protect feature is not enough to stop them and effectively block their\r\nmalware. In fact, Basbanke is the forerunner of a larger malicious campaign that we’ll be reporting on soon.\r\nReference IoC\r\nHashes\r\n00de6f665a41be232a4df975944a2580\r\n0f455547228459c65044845671c9de83\r\n5ff98c27c34ec90c82bb46c28453e3e0\r\n41301a295044410c41d547e6abc9a1a9\r\ne1dfeee5bb82b27c5866da16063aa833\r\n1aa0a4992168953a631a625ab181e236\r\nhttps://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/\r\nPage 3 of 4\n\n11edce35dad85f3e188bfd13b718d19c\r\n79cf391a3ae2477cd804c68850dba80d\r\n6938b27cdbc5ac5e98fd2a34bde034a6\r\n7e1bb73f514b6af7be16ab5bcb0efa5e\r\nDomains\r\ndodothebest.esy.es\r\nzalthome.esy.es\r\nservcobranca.in\r\nibercob.com.br\r\nrootcenter.com.br\r\nroyhols.com\r\nautopecasecreta.com.br\r\ninvestcerto.site\r\nbancobrasil.mobi\r\ncitiapp.mobi\r\nltau.mobi\r\nmoduloempresa.com\r\nnoisquevoa.mobi\r\npagseguro.mobi\r\naplicativo-sms.com\r\nInterested in more information? Email us at financialintel@kaspersky.com\r\nSource: https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/\r\nhttps://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/" ], "report_names": [ "90365" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439057, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c46abcfdf47062d8ee75a683c199a4fd5fd265d0.pdf", "text": "https://archive.orkl.eu/c46abcfdf47062d8ee75a683c199a4fd5fd265d0.txt", "img": "https://archive.orkl.eu/c46abcfdf47062d8ee75a683c199a4fd5fd265d0.jpg" } }