Back

Surge in Android Banking Trojans: Four Campaigns Identified

Severity: High (Score: 69.5)

Sources: Scworld, blog.google, attack.mitre.org, Zimperium

Summary

Zimperium's zLabs has reported a significant increase in Android Banking Trojan activity, identifying four distinct campaigns: RecruitRat, SaferRat, Astrinox, and Massiv. These campaigns utilize advanced Command-and-Control (C2) frameworks to steal credentials, execute unauthorized financial transactions, and exfiltrate data from over 800 applications in banking, cryptocurrency, and social media sectors. The trojans employ sophisticated anti-analysis techniques and APK tampering, achieving near-zero detection rates against traditional security measures. Attackers exploit human psychology through deceptive tactics, such as fake system updates and enticing offers, to gain initial access. The malware's distribution methods vary, with SaferRat using phishing websites for fake streaming services and RecruitRat masquerading as legitimate job opportunities. The threat landscape for mobile banking has evolved, necessitating heightened vigilance from users and security professionals alike. Key Points: • Four active Android Banking Trojan campaigns identified: RecruitRat, SaferRat, Astrinox, and Massiv. • These campaigns target over 800 applications across banking, cryptocurrency, and social media. • Sophisticated social engineering tactics are used to lure victims into downloading malicious APKs.

Key Entities

  • Apt-c-23 (apt_group)
  • Bitter (apt_group)
  • CherryBlos (apt_group)
  • FjordPhantom (apt_group)
  • FluBot (apt_group)
  • Brata (malware)
  • Chameleon (malware)
  • GodFather (malware)
  • LightSpy (malware)
  • Pegasus (malware)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • Trojan (attack_type)
  • Operation Triangulation (campaign)
  • Poland (country)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • com.google.android.gm (domain)
  • java.net (domain)
  • Financial (industry)
  • T1016 - System Network Configuration Discovery (mitre_attack)
  • T1027 - Obfuscated Files Or Information (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1056 - Input Capture (mitre_attack)
  • Android (platform)
  • Apple App Store (platform)
  • Google Play (platform)
  • Google Play Store (platform)
  • Instagram (platform)
  • YouTube (company)
  • Android Accessibility Services (tool)
  • Android DevicePolicyManager (tool)
  • DexClassLoader (tool)
  • Java Reflection (tool)
  • Netcfg (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed