10 Most Prolific Banking Trojans Targeting Android Devices Detailed in New Report

DALLAS–A new report examines 10 prolific banking trojans that are targeting Android mobile apps of users worldwide, as the threat from such trojans continues to grow.

The report, from Zimperium, said all of the financial application targets reviewed are available through the Google Play Store, with the analysis detailing what makes each malware family different and particularly malicious.

As the name implies, banking trojans are malicious applications that are in some way are disguised to trick a potential victim into believing they are legitimate, and can be hidden in apps such as productivity tools or games waiting for the right time to deploy, especially on mobile devices.

“Mobile users and their finances are increasingly at risk of theft by these digital robbers behind banking trojans and financial services,” Zimperium said in the preface to its report. “No region is immune from these attacks, and as banking trojans continue to go through developmental updates with new features and capabilities, both the users and financial institutions continue to be at risk to this global economic threat.”

Zimperium said its research team analyzes several hundred-thousand applications each day with state-of-the-art machine learning models and other proprietary techniques. That analysis formed the basis for the report.

Country Summary

First, the report examined threats in various countries, with the text below drawn from the report.

• Australia: 26 of the 53 Australian banks manage 34 mobile banking apps with over 12,752,000 downloads from the Google Play Store. Fourteen of these banking apps are targeted by three or more banking trojans.
• New Zealand: While banking trojans target only 1 in 5 New Zealand bank apps, these apps account for 2,605,000 downloads, more than half the nation’s population.
• United States: Accounting for over 286,753,500 downloads from the Google Play Store, 121 US-based financial applications, including blockchain wallets and payment apps, are targeted by banking trojans.
• United Kingdom: With more than 106,260,000 downloads, 55 United Kingdom-based mobile financial applications, including crypto exchanges and investment applications, are targeted by banking trojans. This is the highest number of one country’s financial applications targeted in all of Europe.
• France: 31 French-based financial applications with over 51,390,000 downloads from the Google Play Store are highly targeted by ExobotCompact.D/Octo, and Teabot banking trojans.
• United Arab Emirates: Of the 22 local institutions in the United Arab Emirates, nine banks with 13 applications are directly targeted by banking trojans.
• Germany: 15 German-based financial applications with over 12,510,000 downloads are targeted by ExobotCompact.D/Octo, Bianlian Botnet, and Teabot.
• Spain: ABANCA Corporación Bancaria, S.A has six apps with 1,140,000 downloads, all targeted by ExobotCompact.D/Octo, with half targeted by Xenomorph and Medusa
• Turkey: With over 95,760,000 downloads, 33 Turkish-based financial applications are all targeted by ExobotCompact.D/Octo, with 30% also targeted by Medusa.
• Switzerland: 19 Swiss financial applications in both the banking and cryptocurrency space account for 9,250,000 downloads. All are exclusively targeted by Teabot.

Key Observations

According to Zimperium, key findings in the report include

• Investment Applications: Of the 639 applications covered in this report, 50 are related to investing in stocks, cryptocurrency, or portfolio management. Those 50 applications account for over 285,000,000 downloads from the Google Play Store, with Teabot targeting most of them, followed by ExobotCompact.D/Octo.
• Teabot is targeting 410 of the 639 applications tracked, Zimperium stated.
• ExobotCompact.D/Octo targets 324 of the 639 applications tracked and is the only one targeting popular, non-financial applications for credential theft.
• The targeted mobile banking, investment, payment, and cryptocurrency apps in this report have been downloaded over 1,012,452,500 from the Google Play Store times globally, according to the report.
• The most targeted mobile banking application is BBVA Spain | Online Banking, with over 10 million downloads. This one application is the target of six of the ten reported banking trojans. (Medusa, Xenomorph, Coper, FluBot, ExobotCompact.D/Octo, and Sharkbot), Zimperium said.
• India’s PhonePe mobile application has the largest attack surface for banking trojans to target, with over 100,000,000 downloads from the Google Play Store.
• Sharkbot is only targeting four financial applications with over 70.5 million, including two of the largest cryptocurrency trading services in the world.

Top Targeted Financial Apps

According to the Zimperium analysis, the top nine targeted mobile financial apps cover banks, investing, payments, and cryptocurrency with more than 260 million total downloads from the Google Play Store.

Three French-based banks (La Banque Postale, Ma Banque, Caf - Mon Compte) are in the top nine and account for 30,000,000 downloads. India’s PhonePe mobile financial app presents the largest target based on the number of downloads out of all the tracked, targeted applications.

The top 3 mobile financial apps targeted by trojans focus on mobile payments and alternative asset investments, like cryptocurrency and gold. These three apps account for over 200,000,000 downloads globally.

Mobile Banking Trojan Capabilities

According to Zimperium, “when it comes to the banking trojans disseminated today, there tends to be a mix of both old and novel techniques. Cyber attackers deliver a core set of capabilities that are common across most trojans. However, they’ll also add a mix of unique capabilities to more effectively pursue their objectives, whether that’s to evade detection better, fool more victims, or better tailor their focus to a specific bank, geography or target.”

Zimperium noted many banking trojans share common characteristics and capabilities:

Dissemination. “Many trojans are spread through app stores. Others are spread through SMS messages purporting to be from a recognized entity.”

Deception. “To deceive potential victims, cyber attackers exploit consumers’ familiarity and trust in name brands. They often try to make their messages and web pages appear as if they’re coming from banks, as well as shippers, communication apps vendors, and entertainment sites. They use this approach to lure unsuspecting targets to click on malicious links and download malware.”

Exploitation. “Upon installation, many trojans request accessibility services, which can be used to steal login credentials through keylogging or to grant permission to malicious apps automatically. They can employ overlay attacks, pointing a victim to a fake banking login page that can be used to steal the credentials entered.”

Communication and Control. “Trojans often interact with command-and-control servers, to share stolen data and establish remote control over devices. Trojans can also perform real-time screen capture with servers. They can generate and receive SMS messages, locate and spam contacts, and more.”

Evasion. “To evade detection, trojans often attempt to hide the app icon from the operating system’s launcher, so users are less likely to discover the trojan’s existence. They may also disable or take steps to avoid detection by mobile anti-malware applications. A small number also take steps to avoid being uninstalled if detected by the victim.”

Teens at Risk

Zimperium, which offers a Mobile Application Protection Suite (MAPS) it says allows mobile application developers to effectively develop and secure their mobile banking apps against the variety of attacks and malware deployed by attackers and criminals, noted that  three out of four Americans (193 million) are now using banking apps to perform daily banking activities such depositing checks, viewing account balances, or transferring financial assets, making them an active target for banking trojans.

“And nearly half of teens (48%) use mobile or websites to manage their money, putting their personally identifiable information (PII) at risk without them or their guardians ever knowing,” the company added. “Seventy-one percent of teens in the same  survey mentioned concerns about their credit scores, showing remarkable financial awareness at such an early age,” even though they are often “unaware that cybercriminals could easily wreak havoc on their scores before they ever enter the workforce…”

For more details on the specific  findings, including details around the banking trojans, go here.

Has Everyone But You Heard the News?

Don’t forget to check your Spam/Junk email folder if you haven’t been receiving your free, popular and daily CUToday.info news headlines.

And if you haven’t yet signed up for the new email solution on which CUToday.info has partnered with ResponseGenius, you can do so here. Signing up requires less than one minute of your time.

CUToday.info has received very positive response from readers following the move to an improved provider of the daily headlines, but many also noted they did need to go to their Spam/Junk folder and mark it as safe.

The new email solution has not only improved every reader’s delivery experience, but it also features a fresh, new format that is easy to read, especially on mobile devices.

Please note and/or make your IT department or email administrator aware the emails will be coming from the domains CUTodayinfo.com and CUTodayinfoReply.com.