{
	"id": "dc313e3d-a890-44e4-bd27-c9b8b4cff573",
	"created_at": "2026-04-06T00:21:01.235594Z",
	"updated_at": "2026-04-10T03:30:33.344263Z",
	"deleted_at": null,
	"sha1_hash": "c8e1f614ec235c016aaf61d23f4b799037715a8c",
	"title": "Bankbot on Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48811,
	"plain_text": "Bankbot on Google Play\r\nArchived: 2026-04-05 13:32:02 UTC\r\nWhile hunting for malicious applications out there, we found a banking trojan known as Bankbot in Google Play.\r\nIt was found in an early stage so it didn't have enough time to spread, but the current status it around 500\r\ninstallations. \r\nBehind this \"Downloader for videos\" we can find that the true nature of the application is not really watching\r\nvideos but rather steal data from users. \r\nIn the background, once it's executed in the victims' device it communicates remotely with its Command and\r\nControl server. \r\nhttp://ughdsay3[.]tk is used as C\u0026C for the banker to communicate. \r\nhttp://blog.koodous.com/2017/05/bankbot-on-google-play.html\r\nPage 1 of 3\n\ntuk_tuk.php and set_data.php are common remote files that are used as communications. Also, the\r\ncommunications in this post can be decrypted. \r\nAt the time of this post, the application has ~500 installations and 9 positive reviews, to trick users into trusting\r\nthe APK. \r\nhttp://blog.koodous.com/2017/05/bankbot-on-google-play.html\r\nPage 2 of 3\n\nEmail used at the Google Play application page hgerritsen0@gmail.com\r\nSource: http://blog.koodous.com/2017/05/bankbot-on-google-play.html\r\nhttp://blog.koodous.com/2017/05/bankbot-on-google-play.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://blog.koodous.com/2017/05/bankbot-on-google-play.html"
	],
	"report_names": [
		"bankbot-on-google-play.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434861,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8e1f614ec235c016aaf61d23f4b799037715a8c.pdf",
		"text": "https://archive.orkl.eu/c8e1f614ec235c016aaf61d23f4b799037715a8c.txt",
		"img": "https://archive.orkl.eu/c8e1f614ec235c016aaf61d23f4b799037715a8c.jpg"
	}
}