Monday, May 19, 2025
HomeMalwareNew Malicious dropper Spreading Dangerous "Bankbot" Banking Malware via Google Play store

New Malicious dropper Spreading Dangerous “Bankbot” Banking Malware via Google Play store

Published on

SIEM as a Service

Follow Us on Google News

Two new campaigns using a malicious dropper to inject bankbot Banking Malware via play store apps and campaigns are dropping two different types of Banking Trojan.

This Bankbot Trojan distribution has been analyzed through one of a Playstore application called Tornado FlashLight.

Bankbot Malware Basically considering as too Risky one when its behavioral Intelligence Mimics as legitimate with existing Banking application and create a fake overlay which helps to steal the Credentials from Victims.

- Advertisement - Google News

The first campaign drops a Bankbot malware and security one drops some different type of banking trojan that performs Android-based bank information stealer with legitimate-looking and with delayed onset of malicious activity.

Previously Discovered Bankbot malware contains more stealthy futures and more sophisticated functionality which performs background unknown clicks and performing app installation from unknown sources.

New dropped Bankbot trojan variant doesn’t perform any automatic tricks but if the user enables the unknown resources, then the user will promote to install the bankbot Malware.

Also Read:  New Banking Trojan Steal Money From Bank Accounts by Abusing Windows OS

How Does this Banking Malware Work

Initially, Dropper app and Malware downloaded and installed from third party location to the victims mobile.

Tornado FlashLight dropper (com.andrtorn.app) not discovered by Google’s Play Protect and it running by without interface unless the device is running suitable security software.

Once Dropper started to dropping the Malware, it will check all installed application against 160 Hardcoded apps.

if its find one or more of the targeted apps are installed when the dropper app is closed, it will start the service with dropper functionality.

Later, Dropper will check the device boot and once it succeeds then it will start the services and asking permission to gain admin access from the victim.

Once it obtains the admin level permission then it will Download the Bankbot Malware dropper from Command & Control Server (hxxp://138.201.166.31/kjsdf.tmp).

Downloaded malware will be triggered 2 hours after when the admin permission will be granted by the victim.

According to SfyLabs,Once the download is completed, the dropper will try to install the APK, using the standard Android mechanism to install applications from outside the Google Play store. Besides requiring unknown sources to be already enabled, this install method requires the user to press a button to continue the installation.

Later Dropper malware started by the dropper and listed banking apps with overlays trying to steal user credentials to perform fraud.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

New Phishing Attack Poses as Zoom Meeting Invites to Steal Login Credentials

A newly identified phishing campaign is targeting unsuspecting users by masquerading as urgent Zoom...

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a...

Chinese APT Hackers Target Organizations Using Korplug Loaders and Malicious USB Drives

Advanced persistent threat (APT) groups with ties to China have become persistent players in...

Cache Timing Techniques Used to Bypass Windows 11 KASLR and Reveal Kernel Base

Cache timing side-channel attacks have been used to circumvent Kernel Address Space Layout Randomization...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Hannibal Stealer Uses Stealth and Obfuscation to Evade Detection

A newly identified piece of malware, dubbed the "Hannibal Stealer," has emerged as a...

Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

Cybersecurity researchers have unearthed a sophisticated attack leveraging AutoIT, a long-standing scripting language known...

Skitnet Malware Employs Stealth Techniques to Execute Payload and Maintain Persistence Techniques

A new and highly sophisticated multi-stage malware, known as Skitnet (or Bossnet), has been...