Blog
Mobile banking Trojans frequently hide behind seemingly harmless programs like productivity tools and games and infiltrate the Google Play Store, Android's official app store. The Trojans then place login pages on top of legitimate banking and finance apps to steal account passwords, monitor notifications to capture OTPs, and even commit on-device financial fraud by leveraging accessibility services to act like users. According to the Google Play Store, the top 10 Android mobile banking trojans are targeting 639 financial applications that have been downloaded over a billion times.
The most popular apps include: PhonePe, Binance,Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México.
According to a Zimperium analysis, which provided an overview of the Android ecosystem in the first quarter of 2021, each of these banking trojans has claimed a distinct market position based on the number of businesses they target and the features that distinguishes them from others. In the United States, three out of four respondents used banking applications for their regular banking transactions, providing a wealth of potential targets to these Trojans.
Worst-hit by banking Trojans
The United States is the most targeted country, with 121 targeted apps. The United Kingdom comes second with 55 apps, followed by Italy (43), Turkey (34), Australia (33), and France (31).
Teabot is the Trojan that targets the most programs, accounting for 410 of the 639 tracked, while Exobot targets a substantial pool of 324 applications.
Walmart-backed PhonePe, which is popular in India and has over 100 million downloads from the Play Store, is the target application with the most downloads.
Binance, a prominent bitcoin exchange app with over 50 million downloads, and Cash App, a mobile payment service that operates in the US and the UK, with 50 million installations, too, are on the banking Trojan hitlist even though they do not provide traditional banking services. BBVA, a global online banking platform with tens of millions of downloads, is the most widely targeted application. Seven of the ten most active banking Trojans target this app.
Most prevalent trojans
According to Zimperium, the following banking Trojans were the most prevalent in the year's first quarter.
Bian Lian
It targets Binance, BBVA, and several Turkish apps. In April 2022, a new variant of the malware was discovered that bypasses photoTAN, considered a robust authentication mechanism in online banking.
Cabassous
It targets Barclays, CommBank, Halifax, Lloyds, and Santander. It employs the domain generation algorithm (DGA) to avoid discovery and removal.
Coper
BBVA, Caixa Bank, CommBank, and Santander are all targets for Coper. It actively checks the "allowlist" of device battery optimization and adjusts it to exempt itself from constraints.
EventBot
It attacks Barclays, Intensa, BancoPosta, and other Italian apps. It disguises itself as Microsoft Word or Adobe Flash and can download new malware modules from external sources.
Exobot
Its targets are PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank. It is tiny and light because it leverages shared system libraries and only retrieves overlays from the C2 when necessary.
FluBot
BBVA, Caixa, Santander, and other Spanish apps are its targets. This botnet virus was infamous for quick dissemination via SMS and compromised devices’ contact lists.
Medusa
It aims at BBVA, CaixaBank, Ziraat, and various Turkish bank apps. It can commit on-device fraud by misusing the accessibility service to pose as a regular user.
Sharkbot
Targets Binance, BBVA, and Coinbase. It includes a comprehensive set of detection evasion and anti-deletion measures and strong C2 communication encryption.
Teabot
PhonePe, Binance, Barclays, Crypto.com, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase are among its prominent targets. It has a unique keylogger for each program that loads when the user runs it.
Xenomorph
It attacks BBVA and other EU-based financial apps. It can also be a dropper to download more malware onto the victim system.
Final thoughts
Each of these banking trojans retains its relatively narrow targeting scope, ensuring that the ecosystem is balanced and that operatives can select the tool that best matches their target demographic. The best way to keep your smartphones safe is by keeping them up to date. Try to only download apps from the Google Play Store, read user reviews, visit the developer's website, and keep the number of installed apps on your device to a minimum.