Bankbot on Google Play
Archived: 2026-04-05 13:32:02 UTC
While hunting for malicious applications out there, we found a banking trojan known as Bankbot in Google Play.
It was found in an early stage so it didn't have enough time to spread, but the current status it around 500
installations. 
Behind this "Downloader for videos" we can find that the true nature of the application is not really watching
videos but rather steal data from users. 
In the background, once it's executed in the victims' device it communicates remotely with its Command and
Control server. 
http://ughdsay3[.]tk is used as C&C for the banker to communicate. 
http://blog.koodous.com/2017/05/bankbot-on-google-play.html
Page 1 of 3

tuk_tuk.php and set_data.php are common remote files that are used as communications. Also, the
communications in this post can be decrypted. 
At the time of this post, the application has ~500 installations and 9 positive reviews, to trick users into trusting
the APK. 
http://blog.koodous.com/2017/05/bankbot-on-google-play.html
Page 2 of 3

Email used at the Google Play application page hgerritsen0@gmail.com
Source: http://blog.koodous.com/2017/05/bankbot-on-google-play.html
http://blog.koodous.com/2017/05/bankbot-on-google-play.html
Page 3 of 3