{
	"id": "065032df-0dd8-4b16-a643-cdb765128a98",
	"created_at": "2026-04-06T00:15:12.581784Z",
	"updated_at": "2026-04-10T03:20:31.518619Z",
	"deleted_at": null,
	"sha1_hash": "def23e98504c73bf62c752a6f6874e255383e183",
	"title": "Remo Android Trojan Targets 50+ Banking Apps \u0026 Wallets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2251546,
	"plain_text": "Remo Android Trojan Targets 50+ Banking Apps \u0026 Wallets\r\nBy daksh sharma\r\nPublished: 2023-08-29 · Archived: 2026-04-05 23:50:00 UTC\r\nNew Remo Android Banking Trojan Targets Over 50 Banking Applications And Crypto Wallets\r\nNew Remo Android Banking Trojan Targets Over 50 Banking Applications And\r\nCrypto Wallets\r\nCRIL analyzes a newly discovered Remo Android Banking Trojan targeting over 50 banking and cryptocurrency\r\nwallet applications from Indonesia, Vietnam, and Thailand.\r\nKey Takeaways\r\nA phishing site impersonating Binance distributes a new Android Banking Trojan “Remo” abusing the\r\nAccessibility service to steal sensitive information.\r\nThe malware targeted more than 50 banking and cryptocurrency wallet applications in Thailand, Vietnam,\r\nand Indonesia, exfiltrating sensitive information from these apps.\r\nThe malware leveraged the Accessibility service to capture screen text, and steal keystrokes from the\r\ntargeted applications.\r\nAnalysis of the admin panel and code strings in the apk file suggested a possible China-originated Threat\r\nActor (TA) behind the malware.\r\nMalware can monitor clipboard data, which allows it to steal sensitive data without granting any\r\npermissions by the victim.\r\nOverview\r\nIn today’s interconnected digital landscape, the threat of cyber phishing and scams has become a significant\r\nconcern. Cybercriminals have cleverly exploited the convenience and connectivity that technology offers, crafting\r\nsophisticated schemes to trick unsuspecting individuals and organizations. Cyble Research and Intelligence Labs\r\n(CRIL) has been continuously monitoring crypto-based phishing and scams. In June 2023, we discovered a crypto\r\nmining scam distributing Roamer Android Banking Trojan targeting banking applications primarily in Vietnam\r\nand India.\r\nCRIL subsequently discovered yet another Android Banking Trojan, the “gjf-p3.apk\r\n(f75e26936a8f3b55065cdad25ee3e37bdf94054bc5e242dc72ebb073e4f73c3d),” via a VirusTotal search. This new\r\ndiscovery showcased an expanded targeting scope, involving not only Vietnam but also Thailand and Indonesia.\r\nFollowing an in-depth investigation, a phishing website was unearthed: hxxps://binancep2p[.]cc/, which imitates a\r\nlegitimate Binance cryptocurrency platform distributing the same malicious APK file named “binance.apk\r\n(63e60c5c984dc379a273fc0e13be81bd3030466b7b2fc9695ec588edc24930e7)”.\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 1 of 13\n\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nFigure 1 – Binance phishing site downloads malicious APK file\r\nDuring the scrutiny of the initial phishing site, an additional three phishing websites were identified. As of the\r\nwriting of this blog, the following mentioned sites are inactive:\r\nhxxps://binance-p2p[.]net/\r\nhxxps://binanceb2c[.]com/\r\nhxxps://vtelpuls[.]com/\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 2 of 13\n\nFigure 2 – Additional phishing sites\r\nThe phishing website hxxps://vtelpuls[.]com/ was distributing an APK file named “Vtel.apk (sha256:\r\n3f7e87646dfc76784942e044d0468ba8f2bc9495fa2710779dc36f7e53f53708).” This APK file’s source code\r\nclosely resembled the one obtained from the phishing website that was pretending to be Binance. We also have\r\nsuspicions that the other two websites might have played a role in distributing this potentially harmful APK file.\r\nFurthermore, we suspect that the targeted individuals might have encountered these phishing websites through\r\nSMS or other messaging applications, potentially making them susceptible to this threat.\r\nAfter examining the downloaded APK file, it was discovered that the downloaded malicious application targets\r\nmore than 50 banking applications and cryptocurrency wallets from Thailand, Vietnam, and Indonesia. Like\r\nseveral other banking trojans, this malware also uses the Accessibility service to steal the credentials of the\r\ntargeted applications.\r\nSince July 2023, the malware has been operational, and as of the time of composing this blog post, the malware\r\nsamples have been detected at a notably low rate as shown in the below figure.\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 3 of 13\n\nFigure 3 – Malware samples have low detection\r\nThe Threat Actor (TA) has kept some of the malicious code inside the Android Library under the “Remo” and\r\n“service” folders as shown in the below figure.\r\nFigure 4 – Malicious module kept inside the Android Library\r\nA comprehensive analysis of the malicious file revealed that this variant of malware is distinct and has not been\r\nencountered in the wild previously. Given this uniqueness, we have named the malware “Remo Banking Trojan,”\r\na moniker name derived from the consistent package name observed across all malicious samples. This naming\r\nconvention enhances our ability to monitor the malware’s activities effectively.\r\nFor the technical analysis, we are considering the most recent sample of the Remo Banking Trojan, namely “gjf-p3.apk (f75e26936a8f3b55065cdad25ee3e37bdf94054bc5e242dc72ebb073e4f73c3d)”. This specific sample\r\nestablishes communication with a Command and Control (C\u0026C) server located at hxxps://vnoffs[.]cyou:8081.\r\nNotably, the admin panel is also hosted on this URL. Upon examination of the admin panel, it becomes evident\r\nthat certain strings are written in Chinese. Additionally, some strings present in the code are also in the Chinese\r\nlanguage, suggesting that a TA could be of China origin.\r\nThe below figure shows the admin panel.\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 4 of 13\n\nFigure 5 – Admin Panel\r\nThe malware employs strong obfuscation techniques to complicate reverse engineering and the strings present\r\nwithin the files are encrypted. Malware has implemented a custom decryption process to decrypt strings. The code\r\nsnippet displayed in the figure below illustrates the specific logic that the malware employs to decrypt these\r\nencrypted strings.\r\nFigure 6 – String decryption code\r\nTechnical Analysis\r\nAPK Metadata Information  \r\nApp Name: ARK\r\nPackage Name: com.gjf2.office\r\nSHA256 Hash: f75e26936a8f3b55065cdad25ee3e37bdf94054bc5e242dc72ebb073e4f73c3d\r\nFigure 7 – Application metadata information\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 5 of 13\n\nAfter being installed, the Remo Banking Trojan establishes a connection with the C\u0026C server at\r\nhxxps://vnoffs[.]cyou:8081/device/getAllDeviceAppPackageSetting. During this connection, it acquires a list of\r\nspecific banking and cryptocurrency wallet applications that it aims to target. This list includes details such as the\r\nID, package name, application name, and its disabled status, as shown in the figure below.\r\nFigure 8 – Malware receives targeted application list\r\nThe table provided below lists the package names and application names of the targeted applications as targeted\r\nby the Remo banking trojan.\r\nPackage name Application name\r\ncom.vnpay.bidv BIDV\r\nvn.com.techcombank.bb.app Techcombank\r\ncom.VCB VCB Digibank\r\ncom.vietinbank.ipay VietinBank\r\ncom.vnpay.Agribank3g Agribank\r\nmobile.acb.com.vn ACB\r\ncom.vnpay.vpbankonline VPBank\r\ncom.tpb.mb.gprsandroid TPBank\r\nsrc.com.sacombank Sacombank\r\ncom.mbmobile MB Bank\r\ncom.vnpay.hdbank HDBank\r\nvn.com.msb.smartBanking MSB\r\ncom.ocb.omniextra OCB\r\ncom.mservice.momotransfer MOMO\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 6 of 13\n\ncom.bca BCA mobile\r\nid.bmri.livin Livin’ by Mandiri\r\nsrc.com.bni BNI Mobile Banking\r\ncom.jago.digitalBanking Jago\r\ncom.bsm.activity2 BSI Mobile\r\ncom.ocbcnisp.onemobileapp OCBC Mobile\r\nid.co.bri.brilinkmobile BRILink Mobile\r\nid.com.uiux.mobile M2U\r\ncom.bca.mybca.omni.android myBCA\r\ncom.dbs.id.pt.digitalbank Digibank Indonesia\r\ncom.alloapp.yump allo bank\r\ncom.dbank.mobile D-Bank PRO\r\nnet.myinfosys.PermataMobileX PermataMobile X\r\nid.co.bankbkemobile.digitalbank SeaBank\r\ncom.bplus.vtpay Viettel Money\r\nvn.com.vng.zalopay ZaloPay\r\nwifi.gps.input Input\r\nth.or.gsb.coachaom Coachaom\r\nktbcs.netbank NEXT\r\ncom.bbl.mobilebanking Bualuang mBanking\r\ncom.kasikorn.retail.mbanking.wap K PLUS\r\ncom.scb.phone SCB EASY\r\ncom.krungsri.kma KMA\r\ncom.TMBTOUCH.PRODUCTION Ttb Touch\r\ncom.kbzbank.kpaycustomer KBZPay\r\ncom.uob.mighty.app UOB TMRW\r\ncom.ktb.customer.qr Paotang\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 7 of 13\n\nim.token.app imtoken\r\nvn.shb.mbanking SHB Mobile\r\ncom.bitpie Bitpie Wallet\r\nio.metamask MetaMask\r\ncom.binance.dev Binance\r\npro.huobi HuoBi\r\ncom.bybit.app Bybit\r\ncom.okinc.okex.gp OKX\r\nvip.mytokenpocket TokenPocket\r\napp.vitien.vitien Vitien\r\nUpon obtaining the list of targeted applications, the malware verifies the targeted application’s existence on the\r\ncompromised device. It then transmits both the application’s name and package name along with the version\r\nnumber for each targeted application to the C\u0026C server at hxxps://vnoffs[.]cyou:8081/device/saveAppList as\r\nshown below.\r\nFigure 9 – Malware sends targeted application information installed on the victim’s device to the\r\nC\u0026C server\r\nSimultaneously, malware prompts the victim to enable Accessibility service. Once the service is enabled, the\r\nmalware abuses the service to execute banking Trojan activity, prevent uninstallation, and grant auto permissions\r\nas shown below.\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 8 of 13\n\nFigure 10 – Malware prompts to enable the Accessibility service\r\nIn the background, the malware continuously transmits data from the infected device to the C\u0026C server\r\nhxxps://vnoffs[.]cyou:8081/device/addOrUpdateDevice. The data includes a wide range of information, such as\r\nthe status of the Accessibility service, the package name of the currently running application, contents of the\r\nclipboard, time zone settings, and basic device details as shown in Figure 11. One notable aspect is the malware’s\r\npersistent collection of clipboard content, enabling the TA to gather sensitive data from the victim’s device without\r\nrequiring any explicit permissions.\r\nFigure 11 – Malware sends clipboard content with other device information\r\nAfter gaining permission for the Accessibility service from the victim, the malware exploits this service to identify\r\nthe targeted banking or cryptocurrency wallet applications installed in the victim’s device. When the malware\r\ndetects the victim’s interaction with any of these applications, it captures all the visible text on the current screen.\r\nSubsequently, the malware transmits this extracted text, along with the app name, package name, and current\r\nactivity component name of the target application, to the C\u0026C server\r\nhxxps://vnoffs[.]cyou:8081/device/saveScreenText. The compromised information can be used by the TA to\r\nexfiltrate credentials and other confidential data from the targeted application. The below figure shows an example\r\nof the exfiltration of screen text from the targeted crypto wallet application.\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 9 of 13\n\nFigure 12 – Malware sends text from the targeted application’s screen\r\nThe Remo Banking Trojan additionally monitors the edit text fields within the targeted applications and proceeds\r\nto transmit any sensitive information entered by the victim to the C\u0026C server\r\nhxxps://vnoffs[.]cyou:8081/device/saveKeyboardEvent. The figure below depicts how the malware captures a\r\nvictim’s wallet mnemonic phrase through keylogging techniques.\r\nFigure 13 – Malware steals a mnemonic phrase from the targeted crypto application using\r\nkeylogging\r\nAdditionally, Remo Banking Trojan also steals all the contacts stored from the infected device and sends them to\r\nthe C\u0026C server “hxxps://vnoffs[.]cyou:8081/device/saveAddressBookList”. However, this particular URL is not\r\navailable on the server, as shown in the below figure.\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 10 of 13\n\nFigure 14 – Malware steals contact list\r\nConclusion\r\nThe Remo Banking Trojan represents a sophisticated cyber threat that specifically targets Android users in\r\nSoutheast Asia, particularly in Thailand, Vietnam, and Indonesia. This malware employs various tactics, including\r\nphishing, keylogging, and accessibility service exploitation, to steal sensitive information from banking and\r\ncryptocurrency wallet applications. Notably, the malware’s utilization of a counterfeit Binance platform, combined\r\nwith its ability to evade detection effectively, highlights the increasing inventiveness of cybercriminals in\r\ndeveloping powerful and dangerous threats.\r\nThe malicious APK, distributed through phishing websites, establishes a connection with a C\u0026C server, allowing\r\nthe malware to carry out its malicious activities. The Chinese origin implication, although speculative, suggests\r\nthe involvement of a TA with an advanced level of sophistication. The use of custom encryption and decryption\r\nprocesses further highlights the malware’s attempt to evade traditional security measures.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:\r\nDownload and install software only from official app stores like Play Store or the iOS App Store.\r\nNever share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted\r\nsource.\r\nAvoid copy pasting sensitive information such as ID Password of banking crypto, digital locker, or any\r\nother social media app.\r\nUsing a reputed antivirus and internet security software package is recommended on connected devices,\r\nincluding PC, laptops, and mobile.\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nBe wary of opening any links received via SMS or emails delivered to your phone.\r\nEnsure that Google Play Protect is enabled on Android devices.\r\nBe careful while enabling any permissions.\r\nKeep your devices, operating systems, and applications updated.\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 11 of 13\n\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nDefense Evasion T1629.001 Impair Defenses: Prevent Application Removal\r\nCredential Access T1414 Clipboard Data\r\nCredential Access T1417.001 Input Capture: Keylogging\r\nDiscovery T1418 Software Discovery\r\nDiscovery T1426 System Information Discovery\r\nCollection T1636.003 Protected User Data: Contact List\r\nExfiltration T1646 Exfiltration Over C2 Channel\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n63e60c5c984dc379a273fc0e13be81bd3030466b7b2fc9695ec588edc24930e7\r\nbdfca6b4179daa865acd5c344ab6d44595994f2e\r\n655c7f0f138675f81fae4eebea3a2b09\r\nSHA256\r\nSHA1\r\nMD5\r\nBinance.apk\r\nhxxps://binancep2p[.]cc/ URL\r\nDistribution\r\nsite\r\nf75e26936a8f3b55065cdad25ee3e37bdf94054bc5e242dc72ebb073e4f73c3d\r\nb5d780dc90fcc2534d331f1b369646fdafe523dd\r\n0b7f5acaf4aa7dc5b5c4afa5c3c16f2d\r\nSHA256\r\nSHA1\r\nMD5\r\nHash of\r\nanalyzed file\r\n“gjf-p3.apk”\r\nhxxps://vnoffs[.]cyou:8081 URL C\u0026C server\r\n495c5637012ef9ad233fa880b6022227dbbc3ee9b9a5b3a281fce1ba6ec881e6\r\nd96e6cf0af6720b272bca0befc4a72f2967531ec\r\n1549b189b64abe469e8d002f524f0281\r\nSHA256\r\nSHA1\r\nMD5\r\nRemo Banking\r\nTrojan\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 12 of 13\n\n3f7e87646dfc76784942e044d0468ba8f2bc9495fa2710779dc36f7e53f53708\r\nb04b7af784c7dc6d8b3e2a9f8eed70bd72e12a01\r\n9318046c62addc393bd411a14ea39dff\r\nSHA256\r\nSHA1\r\nMD5\r\nRemo Banking\r\nTrojan\r\nhxxps://vtelpuls[.]com/apk/download/Vtel.apk URL\r\nDistribution\r\nURL\r\n63077596f1c077a1ccf741db3cbd41f226fc1d8651f2543d7095804e5e0a189a\r\n31c6fdf519e4e1012b27b752d128e4dd2df65c37\r\n2d9d806404e30afacb8ccd82635c7ae7\r\nSHA256\r\nSHA1\r\nMD5\r\nRemo Banking\r\nTrojan\r\ne889792ea8ef24b4f52e0e4e4440cd7b143d45a16c\r\n2be783846c746f0a4275c5\r\n29a046c8c0d500bd412d063a3c4daff0ff927929\r\n5932c00d3be5b733687ee5a8f00ffc2c\r\nSHA256\r\nSHA1\r\nMD5\r\nRemo Banking\r\nTrojan\r\nSource: https://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nhttps://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cyble.com/blog/new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets/"
	],
	"report_names": [
		"new-remo-android-banking-trojan-targets-over-50-banking-applications-and-crypto-wallets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434512,
	"ts_updated_at": 1775791231,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/def23e98504c73bf62c752a6f6874e255383e183.pdf",
		"text": "https://archive.orkl.eu/def23e98504c73bf62c752a6f6874e255383e183.txt",
		"img": "https://archive.orkl.eu/def23e98504c73bf62c752a6f6874e255383e183.jpg"
	}
}