Cyber threat researchers have identified some of the most prolific mobile banking Trojans that have targeted 639 financial applications that are available on the Google Play Store and have been cumulatively downloaded over 1.01 billion times. Some of the most targeted apps include Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf - Mon Compte, Postepay, and BBVA México. These apps alone account for more than 260 million downloads from the official app marketplace. Of the 639 apps tracked, 121 are based in the U.S., followed by the U.K. (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal (27).
The Trojan TeaBot is targeting 410 of the 639 applications tracked investigators noted in a recent analysis of Android threats during the first half of 2022. The TeaBot malware, also known as Anatsa or Toddler, includes RAT (Remote Access Trojan) capabilities allowing threat actors to conduct “on-device fraud” (account takeover), steal victims’ credentials, and SMS messages, all while remaining under the radar.
Since first being tracked by threat intelligence at the beginning of 2021, TeaBot has been deemed to be evolving, increasing its global scope and targeting over 400 applications across the globe. In the past few months, TeaBot has started to support new languages such as Slovak, Russian, and Mandarin Chinese to appear more legitimate, as well as utilizing “string obfuscation” to boost evasion techniques and avoid detection by anti-malware suites.
Octo is the name of the Android malware, a banking Trojan targeting Android users. Octo is pretty similar to another banking Trojan called ExobotCompact that was active until 2018 and targeted financial institutions. The Octo banking Trojan has a remote access capability and uses anti-detection and anti-removal techniques. Octo targets 324 of the 639 applications tracked and is the only one targeting popular, non-financial applications for credential theft.
Aside from TeaBot (Anatsa) and Octo (Exobot), other prominent banking trojans include BianLian, Coper, EventBot, FluBot (Cabassous), Medusa, SharkBot, and Xenomorph. FluBot is considered to be an aggressive variant of Cabassous, not to mention notorious for hitching its distribution app to serve Medusa, another mobile banking trojan that can gain near-complete control over a user's device. During June 2022, Europol announced the dismantling of infrastructure behind FluBot.
These malicious remote access tools, while hiding behind App Store offerings are designed to target mobile financial applications in an attempt to carry out on-device fraud and siphon funds directly from the victim's accounts.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Article: TR-22-161-002.pdf
Comments