{
	"id": "1a846014-778f-4e45-bbb2-68474a173497",
	"created_at": "2026-04-06T00:10:54.418611Z",
	"updated_at": "2026-04-10T03:24:29.682284Z",
	"deleted_at": null,
	"sha1_hash": "e92f74b8efad475aa6bb412d20a81187ba3db1d3",
	"title": "The rise of mobile banker Asacub",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 831970,
	"plain_text": "The rise of mobile banker Asacub\r\nBy Tatyana Shishkova\r\nPublished: 2018-08-28 · Archived: 2026-04-05 14:00:44 UTC\r\nWe encountered the Trojan-Banker.AndroidOS.Asacub family for the first time in 2015, when the first versions of the\r\nmalware were detected, analyzed, and found to be more adept at spying than stealing funds. The Trojan has evolved since\r\nthen, aided by a large-scale distribution campaign by its creators (in spring-summer 2017), helping Asacub to claim top\r\nspots in last year’s ranking by number of attacks among mobile banking Trojans, outperforming other families such as\r\nSvpeng and Faketoken.\r\nWe decided to take a peek under the hood of a modern member of the Asacub family. Our eyes fell on the latest version of\r\nthe Trojan, which is designed to steal money from owners of Android devices connected to the mobile banking service of\r\none of Russia’s largest banks.\r\nAsacub versions\r\nSewn into the body of the Trojan is the version number, consisting of two or three digits separated by periods. The\r\nnumbering seems to have started anew after the version 9.\r\nThe name Asacub appeared with version 4 in late 2015; previous versions were known as Trojan-SMS.AndroidOS.Smaps.\r\nVersions 5.X.X-8.X.X were active in 2016, and versions 9.X.X-1.X.X in 2017. In 2018, the most actively distributed\r\nversions were 5.0.0 and 5.0.3.\r\nCommunication with C\u0026C\r\nAlthough Asacub’s capabilities gradually evolved, its network behavior and method of communication with the command-and-control (C\u0026C) server changed little. This strongly suggested that the banking Trojans, despite differing in terms of\r\ncapability, belong to the same family.\r\nData was always sent to the C\u0026C server via HTTP in the body of a POST request in encrypted form to the relative address\r\n/something/index.php. In earlier versions, the something part of the relative path was a partially intelligible, yet random mix\r\nof words and short combinations of letters and numbers separated by an underscore, for example, “bee_bomb” or\r\n“my_te2_mms”.\r\nExample of traffic from an early version of Asacub (2015)\r\nThe data transmitted and received is encrypted with the RC4 algorithm and encoded using the base64 standard. The C\u0026C\r\naddress and the encryption key (one for different modifications in versions 4.x and 5.x, and distinct for different C\u0026Cs in\r\nlater versions) are stitched into the body of the Trojan. In early versions of Asacub, .com, .biz, .info, .in, .pw were used as\r\ntop-level domains. In the 2016 version, the value of the User-Agent header changed, as did the method of generating the\r\nrelative path in the URL: now the part before /index.php is a mix of a pronounceable (if not entirely meaningful) word and\r\nrandom letters and numbers, for example, “muromec280j9tqeyjy5sm1qy71” or “parabbelumf8jgybdd6w0qa0”. Moreover,\r\nincoming traffic from the C\u0026C server began to use gzip compression, and the top-level domain for all C\u0026Cs was .com:\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 1 of 11\n\nSince December 2016, the changes in C\u0026C communication methods have affected only how the relative path in the URL is\r\ngenerated: the pronounceable word was replaced by a rather long random combination of letters and numbers, for example,\r\n“ozvi4malen7dwdh” or “f29u8oi77024clufhw1u5ws62”. At the time of writing this article, no other significant changes in\r\nAsacub’s network behavior had been observed:\r\nThe origin of Asacub\r\nIt is fairly safe to say that the Asacub family evolved from Trojan-SMS.AndroidOS.Smaps. Communication between both\r\nTrojans and their C\u0026C servers is based on the same principle, the relative addresses to which Trojans send network requests\r\nare generated in a similar manner, and the set of possible commands that the two Trojans can perform also overlaps. What’s\r\nmore, the numbering of Asacub versions is a continuation of the Smaps system. The main difference is that Smaps transmits\r\ndata as plain text, while Asacub encrypts data with the RC4 algorithm and then encodes it into base64 format.\r\nLet’s compare examples of traffic from Smaps and Asacub — an initializing request to the C\u0026C server with information\r\nabout the infected device and a response from the server with a command for execution:\r\nSmaps request\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 2 of 11\n\nAsacub request\r\nDecrypted data from Asacub traffic:\r\n{“id”:”532bf15a-b784-47e5-92fa-72198a2929f5″,”type”:”get”,”info”:”imei:365548770159066, country:PL, cell:Tele2,\r\nandroid:4.2.2, model:GT-N5100, phonenumber:+486679225120, sim:6337076348906359089f, app:null, ver:5.0.2″}\r\nData sent to the server\r\n[{“command”:”sent\u0026\u0026\u0026”,”params”:\r\n{“to”:”+79262000900″,”body”:”\\u0410\\u0412\\u0422\\u041e\\u041f\\u041b\\u0410\\u0422\\u0415\\u0416 1000\r\n50″,”timestamp”:”1452272572″}},\r\n{“command”:”sent\u0026\u0026\u0026”,”params”:{“to”:”+79262000900″,”body”:”BALANCE”,”timestamp”:”1452272573″}}]\r\nInstructions received from the server\r\nA comparison can also be made of the format in which Asacub and Smaps forward incoming SMS (encoded with the base64\r\nalgorithm) from the device to the C\u0026C server:\r\nSmaps format\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 3 of 11\n\nAsacub format\r\nDecrypted data from Asacub traffic:\r\n{“data”:”2015:10:14_02:41:15″,”id”:”532bf15a-b784-47e5-92fa-72198a2929f5″,”text”:”SSB0aG91Z2h0IHdlIGdvdCBwYXN0IHRoaXMhISBJJ20gbm90IGh1bmdyeSBhbmQgbmU=”,”number”:”1790″,”ty\r\nPropagation\r\nThe banking Trojan is propagated via phishing SMS containing a link and an offer to view a photo or MMS. The link points\r\nto a web page with a similar sentence and a button for downloading the APK file of the Trojan to the device.\r\nThe Trojan download window\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 4 of 11\n\nAsacub masquerades under the guise of an MMS app or a client of a popular free ads service. We came across the names\r\nPhoto, Message, Avito Offer, and MMS Message.\r\nApp icons under which Asacub masks itself\r\nThe APK files of the Trojan are downloaded from sites such as mmsprivate[.]site, photolike[.]fun, you-foto[.]site, and\r\nmms4you[.]me under names in the format:\r\nphoto_[number]_img.apk,\r\nmms_[number]_img.apk\r\navito_[number].apk,\r\nmms.img_[number]_photo.apk,\r\nmms[number]_photo.image.apk,\r\nmms[number]_photo.img.apk,\r\nmms.img.photo_[number].apk,\r\nphoto_[number]_obmen.img.apk.\r\nFor the Trojan to install, the user must allow installation of apps from unknown sources in the device settings.\r\nInfection\r\nDuring installation, depending on the version of the Trojan, Asacub prompts the user either for Device Administrator rights\r\nor for permission to use AccessibilityService. After receiving the rights, it sets itself as the default SMS app and disappears\r\nfrom the device screen. If the user ignores or rejects the request, the window reopens every few seconds.\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 5 of 11\n\nThe Trojan requests Device Administrator rights\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 6 of 11\n\nThe Trojan requests permission to use AccessibilityService\r\nAfter installation, the Trojan starts communicating with the cybercriminals’ C\u0026C server. All data is transmitted in JSON\r\nformat (after decryption). It includes information about the smartphone model, the OS version, the mobile operator, and the\r\nTrojan version.\r\nLet’s take an in-depth look at Asacub 5.0.3, the most widespread version in 2018.\r\nStructure of data sent to the server:\r\n{  \r\n   \"type\":int,\r\n   \"data\":{  \r\n      data\r\n   },\r\n   \"id\":hex\r\n}\r\nStructure of data received from the server:\r\n{  \r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 7 of 11\n\n\"command\":int,\r\n   \"params\":{  \r\n      params,\r\n      \"timestamp\":int,\r\n      \"x\":int\r\n   },\r\n   \"waitrun\":int\r\n}\r\nTo begin with, the Trojan sends information about the device to the server:\r\n{  \r\n   \"type\":1,\r\n   \"data\":{  \r\n      \"model\":string,\r\n      \"ver\":\"5.0.3\",\r\n      \"android\":string,\r\n      \"cell\":string,\r\n      \"x\":int,\r\n      \"country\":int, //optional\r\n      \"imei\":int //optional\r\n   },\r\n   \"id\":hex\r\n}\r\nIn response, the server sends the code of the command for execution (“command”), its parameters (“params”), and the time\r\ndelay before execution (“waitrun” in milliseconds).\r\nList of commands sewn into the body of the Trojan:\r\nCommand\r\ncode\r\nParameters Actions\r\n2 –\r\nSending a list of contacts from the address book of the infected device to the C\u0026C\r\nserver\r\n7 “to”:int Calling the specified number\r\n11\r\n“to”:int,\r\n“body”:string\r\nSending an SMS with the specified text to the specified number\r\n19 “text”:string,\r\n“n”:string\r\nSending SMS with the specified text to numbers from the address book of the\r\ninfected device, with the name of the addressee from the address book substituted\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 8 of 11\n\ninto the message text\r\n40 “text”:string\r\nShutting down applications with specific names (antivirus and banking\r\napplications)\r\nThe set of possible commands is the most significant difference between the various flavors of Asacub. In the 2015-early\r\n2016 versions examined in this article, C\u0026C instructions in JSON format contained the name of the command in text form\r\n(“get_sms”, “block_phone”). In later versions, instead of the name of the command, its numerical code was transmitted. The\r\nsame numerical code corresponded to one command in different versions, but the set of supported commands varied. For\r\nexample, version 9.0.7 (2017) featured the following set of commands: 2, 4, 8, 11, 12, 15, 16, 17, 18, 19, 20.\r\nAfter receiving the command, the Trojan attempts to execute it, before informing C\u0026C of the execution status and any data\r\nreceived. The “id” value inside the “data” block is equal to the “timestamp” value of the relevant command:\r\n{  \r\n   \"type\":3,\r\n   \"data\":{  \r\n      \"data\":JSONArray,\r\n      \"command\":int,\r\n      \"id\":int,\r\n      \"post\":boolean,\r\n      \"status\":resultCode\r\n   },\r\n   \"id\":hex\r\n}\r\nIn addition, the Trojan sets itself as the default SMS application and, on receiving a new SMS, forwards the sender’s number\r\nand the message text in base64 format to the cybercriminal:\r\n{  \r\n   \"type\":2,\r\n   \"data\":{  \r\n      \"n\":string,\r\n      \"t\":string\r\n   },\r\n   \"id\":hex\r\n}\r\nThus, Asacub can withdraw funds from a bank card linked to the phone by sending SMS for the transfer of funds to another\r\naccount using the number of the card or mobile phone. Moreover, the Trojan intercepts SMS from the bank that contain one-time passwords and information about the balance of the linked bank card. Some versions of the Trojan can autonomously\r\nretrieve confirmation codes from such SMS and send them to the required number. What’s more, the user cannot check the\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 9 of 11\n\nbalance via mobile banking or change any settings there, because after receiving the command with code 40, the Trojan\r\nprevents the banking app from running on the phone.\r\nUser messages created by the Trojan during installation typically contain grammatical and spelling errors, and use a mixture\r\nof Cyrillic and Latin characters.\r\nThe Trojan also employs various obfuscation methods: from the simplest, such as string concatenation and renaming of\r\nclasses and methods, to implementing functions in native code and embedding SO libraries in C/C++ in the APK file, which\r\nrequires the use of additional tools or dynamic analysis for deobfuscation, since most tools for static analysis of Android\r\napps support only Dalvik bytecode. In some versions of Asacub, strings in the app are encrypted using the same algorithm as\r\ndata sent to C\u0026C, but with different keys.\r\nExample of using native code for obfuscation\r\nExamples of using string concatenation for obfuscation\r\nExample of encrypting strings in the Trojan\r\nAsacub distribution geography\r\nAsacub is primarily aimed at Russian users: 98% of infections (225,000) occur in Russia, since the cybercriminals\r\nspecifically target clients of a major Russian bank. The Trojan also hit users from Ukraine, Turkey, Germany, Belarus,\r\nPoland, Armenia, Kazakhstan, the US, and other countries.\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 10 of 11\n\nConclusion\r\nThe case of Asacub shows that mobile malware can function for several years with minimal changes to the distribution\r\nscheme.\r\nIt is basically SMS spam: many people still follow suspicious links, install software from third-party sources, and give\r\npermissions to apps without a second thought. At the same time, cybercriminals are reluctant to change the method of\r\ncommunication with the C\u0026C server, since this would require more effort and reap less benefit than modifying the\r\nexecutable file. The most significant change in this particular Trojan’s history was the encryption of data sent between the\r\ndevice and C\u0026C. That said, so as to hinder detection of new versions, the Trojan’s APK file and the C\u0026C server domains are\r\nchanged regularly, and the Trojan download links are often one-time-use.\r\nIOCs\r\nC\u0026C IP addresses:\r\n155.133.82.181\r\n155.133.82.240\r\n155.133.82.244\r\n185.234.218.59\r\n195.22.126.160\r\n195.22.126.163\r\n195.22.126.80\r\n195.22.126.81\r\n5.45.73.24\r\n5.45.74.130\r\nIP addresses from which the Trojan was downloaded:\r\n185.174.173.31\r\n185.234.218.59\r\n188.166.156.110\r\n195.22.126.160\r\n195.22.126.80\r\n195.22.126.81\r\n195.22.126.82\r\n195.22.126.83\r\nSHA256:\r\n158c7688877853ffedb572ccaa8aa9eff47fa379338151f486e46d8983ce1b67\r\n3aedbe7057130cf359b9b57fa533c2b85bab9612c34697585497734530e7457d\r\nf3ae6762df3f2c56b3fe598a9e3ff96ddf878c553be95bacbd192bd14debd637\r\ndf61a75b7cfa128d4912e5cb648cfc504a8e7b25f6c83ed19194905fef8624c8\r\nc0cfd462ab21f6798e962515ac0c15a92036edd3e2e63639263bf2fd2a10c184\r\nd791e0ce494104e2ae0092bb4adc398ce740fef28fa2280840ae7f61d4734514\r\n38dcec47e2f4471b032a8872ca695044ddf0c61b9e8d37274147158f689d65b9\r\n27cea60e23b0f62b4b131da29fdda916bc4539c34bb142fb6d3f8bb82380fe4c\r\n31edacd064debdae892ab0bc788091c58a03808997e11b6c46a6a5de493ed25d\r\n87ffec0fe0e7a83e6433694d7f24cfde2f70fc45800aa2acb8e816ceba428951\r\neabc604fe6b5943187c12b8635755c303c450f718cc0c8e561df22a27264f101\r\nSource: https://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nhttps://securelist.com/the-rise-of-mobile-banker-asacub/87591/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
	],
	"report_names": [
		"87591"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434254,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e92f74b8efad475aa6bb412d20a81187ba3db1d3.pdf",
		"text": "https://archive.orkl.eu/e92f74b8efad475aa6bb412d20a81187ba3db1d3.txt",
		"img": "https://archive.orkl.eu/e92f74b8efad475aa6bb412d20a81187ba3db1d3.jpg"
	}
}