Banking Trojans Targeting Popular Financial Apps

Read More

Mobile banking Trojans frequently hide behind seemingly harmless programs like productivity tools and games and infiltrate the Google Play Store, Android's official app store. The Trojans then place login pages on top of legitimate banking and finance apps to steal account passwords, monitor notifications to capture OTPs, and even commit on-device financial fraud by leveraging accessibility services to act like users. According to the Google Play Store, the top 10 Android mobile banking trojans are targeting 639 financial applications that have been downloaded over a billion times.

The most popular apps include: PhonePe, Binance,Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México.

According to a Zimperium analysis, which provided an overview of the Android ecosystem in the first quarter of 2021, each of these banking trojans has claimed a distinct market position based on the number of businesses they target and the features that distinguishes them from others. In the United States, three out of four respondents used banking applications for their regular banking transactions, providing a wealth of potential targets to these Trojans. 

Worst-hit by banking Trojans 

The United States is the most targeted country, with 121 targeted apps. The United Kingdom comes second with 55 apps, followed by Italy (43), Turkey (34), Australia (33), and France (31).

Teabot is the Trojan that targets the most programs, accounting for 410 of the 639 tracked, while Exobot targets a substantial pool of 324 applications. 

Walmart-backed PhonePe, which is popular in India and has over 100 million downloads from the Play Store, is the target application with the most downloads. 

Binance, a prominent bitcoin exchange app with over 50 million downloads, and Cash App, a mobile payment service that operates in the US and the UK, with 50 million installations, too, are on the banking Trojan hitlist even though they do not provide traditional banking services. BBVA, a global online banking platform with tens of millions of downloads, is the most widely targeted application. Seven of the ten most active banking Trojans target this app. 

Most prevalent trojans 

According to Zimperium, the following banking Trojans were the most prevalent in the year's first quarter. 

Bian Lian 

It targets Binance, BBVA, and several Turkish apps. In April 2022, a new variant of the malware was discovered that bypasses photoTAN, considered a robust authentication mechanism in online banking. 


It targets Barclays, CommBank, Halifax, Lloyds, and Santander. It employs the domain generation algorithm (DGA) to avoid discovery and removal. 


BBVA, Caixa Bank, CommBank, and Santander are all targets for Coper. It actively checks the "allowlist" of device battery optimization and adjusts it to exempt itself from constraints. 


It attacks Barclays, Intensa, BancoPosta, and other Italian apps. It disguises itself as Microsoft Word or Adobe Flash and can download new malware modules from external sources. 


Its targets are PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank. It is tiny and light because it leverages shared system libraries and only retrieves overlays from the C2 when necessary. 


BBVA, Caixa, Santander, and other Spanish apps are its targets. This botnet virus was infamous for quick dissemination via SMS and compromised devices’ contact lists. 


It aims at BBVA, CaixaBank, Ziraat, and various Turkish bank apps. It can commit on-device fraud by misusing the accessibility service to pose as a regular user.  


Targets Binance, BBVA, and Coinbase. It includes a comprehensive set of detection evasion and anti-deletion measures and strong C2 communication encryption. 


PhonePe, Binance, Barclays,, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase are among its prominent targets. It has a unique keylogger for each program that loads when the user runs it. 


It attacks BBVA and other EU-based financial apps. It can also be a dropper to download more malware onto the victim system. 

Final thoughts

Each of these banking trojans retains its relatively narrow targeting scope, ensuring that the ecosystem is balanced and that operatives can select the tool that best matches their target demographic. The best way to keep your smartphones safe is by keeping them up to date. Try to only download apps from the Google Play Store, read user reviews, visit the developer's website, and keep the number of installed apps on your device to a minimum. 

Featured Posts

See All

- Blog

London Drugs Gets Cracked By LockBit: Sensitive Employee Data Taken

In April 2024, London Drugs faced a ransomware crisis at the hands of LockBit hackers, resulting in theft of corporate files and employee records, and causing operational shutdowns across Canada.

- Blog

Q-Day And Harvest-Now-Decrypt-Later (HNDL) Attacks

Prime your knowledge about post-quantum encryption and risks it creates today via Harvest-Now-Decrypt-Later (HNDL) attacks.

- Blog

The Price vs. Cost of Dark Web Monitoring

Learn more about the price vs. cost of Dark Web Monitoring in 2024, as well as the launch of Packetlabs' Dark Web Investigators.