Tuesday, July 23, 2024

New Malicious dropper Spreading Dangerous “Bankbot” Banking Malware via Google Play store

Two new campaigns using a malicious dropper to inject bankbot Banking Malware via play store apps and campaigns are dropping two different types of Banking Trojan.

This Bankbot Trojan distribution has been analyzed through one of a Playstore application called Tornado FlashLight.

Bankbot Malware Basically considering as too Risky one when its behavioral Intelligence Mimics as legitimate with existing Banking application and create a fake overlay which helps to steal the Credentials from Victims.

The first campaign drops a Bankbot malware and security one drops some different type of banking trojan that performs Android-based bank information stealer with legitimate-looking and with delayed onset of malicious activity.

Previously Discovered Bankbot malware contains more stealthy futures and more sophisticated functionality which performs background unknown clicks and performing app installation from unknown sources.

New dropped Bankbot trojan variant doesn’t perform any automatic tricks but if the user enables the unknown resources, then the user will promote to install the bankbot Malware.

Also Read:  New Banking Trojan Steal Money From Bank Accounts by Abusing Windows OS

How Does this Banking Malware Work

Initially, Dropper app and Malware downloaded and installed from third party location to the victims mobile.

Tornado FlashLight dropper (com.andrtorn.app) not discovered by Google’s Play Protect and it running by without interface unless the device is running suitable security software.

Once Dropper started to dropping the Malware, it will check all installed application against 160 Hardcoded apps.

if its find one or more of the targeted apps are installed when the dropper app is closed, it will start the service with dropper functionality.

Later, Dropper will check the device boot and once it succeeds then it will start the services and asking permission to gain admin access from the victim.

Once it obtains the admin level permission then it will Download the Bankbot Malware dropper from Command & Control Server (hxxp://

Downloaded malware will be triggered 2 hours after when the admin permission will be granted by the victim.

According to SfyLabs,Once the download is completed, the dropper will try to install the APK, using the standard Android mechanism to install applications from outside the Google Play store. Besides requiring unknown sources to be already enabled, this install method requires the user to press a button to continue the installation.

Later Dropper malware started by the dropper and listed banking apps with overlays trying to steal user credentials to perform fraud.


Latest articles

Beware Of Dating Apps Exposing Your Personal And Location Details To Cyber Criminals

Threat actors often attack dating apps to steal personal data, including sensitive data and...

Hackers Abusing Google Cloud For Phishing

Threat actors often attack cloud services for several illicit purposes. Google Cloud is targeted...

Two Russian Nationals Charged for Cyber Attacks against U.S. Critical Infrastructure

The United States has designated Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, two members...

Threat Actors Taking Advantage of CrowdStrike BSOD Bug to Deliver Malware

Threat actors have been found exploiting a recently discovered bug in CrowdStrike's software that...

NCA Shut’s Down the Most Popular “digitalstress” DDoS-for-hire Service

The National Crime Agency (NCA) has successfully infiltrated and dismantled one of the most...

Play Ransomware’s Linux Variant Attacking VMware ESXi Servers

A new Linux variant of Play ransomware targets VMware ESXi environments, which encrypts virtual...

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles