Mobile Banking Trojan

Top 10 Mobile Banking Trojans Bots and their Consequences

Top 10 mobile banking trojans have targeted 639 financial apps accessible on the Google Play Store, which have been downloaded over 1.01 billion times in total.

Walmart-backed PhonePe, Binance, Cash App, Garanti BBVA Mobile, La Banque Postale, Ma Banque, Caf – Mon Compte, Postepay, and BBVA México are among the most targeted applications. These applications alone have received over 260 million downloads from the official app store.

The United States has 121 of the 639 apps monitored, followed by the United Kingdom (55), Italy (43), Turkey (34), Australia (33), France (31), Spain (29), and Portugal. (27).

Overview of Major Mobile Banking Trojans


“TeaBot is targeting 410 of the 639 applications tracked,” Zimperium said in a new analysis of Android threats in the first half of 2022. “Octo targets 324 of the 639 applications tracked for credential theft and is the only one targeting popular, non-financial applications.”

Other notable financial trojans include BianLian, Coper, EventBot, FluBot (Cabassous), Medusa, SharkBot, and Xenomorph, in addition to TeaBot (Anatsa) and Octo (Exobot).


BianLian is a ransomware-type malicious software. It was created using the Go computer language. When we ran a sample of BianLian on our test computer, it encrypted files and appended a “.bianlian” extension to their names.

To illustrate, a file named “1.jpg” became “1.jpg.bianlian,” “2.png” became “2.png.bianlian,” and so on. When this procedure was completed, a ransom letter titled “Look at this instruction.txt” was placed on the desktop. The text makes it clear that this ransomware employs double extortion methods and targets businesses rather than individual users. BianLian deleted itself after its operations were finished.

Researchers have found that the BianLian ransomware has been used in attacks against well-known organizations operating in the BFSI (Banking, Financial Services and Insurance), Education, Healthcare, Media and Entertainment, Manufacturing, and other spheres.


FluBot is also thought to be an aggressive Cabassous variant, not to mention infamous for tying its distribution wagon to Medusa, another mobile banking trojan capable of gaining near-complete control over a user’s device. Europol stated last week that the infrastructure behind FluBot would be decommissioned.


Get Legit Cash App Money Transfer  Now

What you can achieve with our Cashapp transfer service is unlimited unless you don’t know how to do business or probably spend money.


  • Cashtag $name
  • Cashapp Email
  • Cashapp Account Holder’s Full Name (To help us send with description to the holder)
  • Let us know of any specific instructions you will want us to add to your transfer, but if there are none then we will handle it


Octo (Exobot)

Octo banking Trojan has a remote access capability and uses anti-detection and anti-removal techniques. The remote access capability allows cybercriminals behind Octo to perform on-device fraud (to initiate transactions from the infected device). However, this cannot happen without users enabling Accessibility Services.

It is known that Octo can capture screen contents in real-time, perform overlay attacks on banking and other apps, and log keystrokes. These features allow the attackers to capture entered credentials, a lock pattern or PIN used to unlock the device, and websites in the Chrome browser. Also, they allow them to gather information about clicked elements (and capture all clicks/taps made with the device) and steal contacts.

Moreover, Octo malware can receive commands from the C2 server to block push notifications from specified apps, disable and enable SMS interception, stop the Trojan, open websites, show push notifications, launch apps, send text messages, and more.


EventBot is an mobile banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications. EventBot was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.

The malware, named EventBot by researchers at security firm Cybereason, masquerades as a legitimate Android app — such as Adobe Flash or Microsoft Word for Android — and exploits Android’s built-in accessibility features to gain deep access to the device’s operating system.

Once installed — by an unsuspecting user or a malicious person with access to a victim’s phone — the EventBot-infected fake app quietly siphons off passwords for more than 200 banking and cryptocurrency apps, including PayPal, Coinbase, CapitalOne, and HSBC, as well as intercepts and two-factor authentication text message codes.

With a victim’s password and two-factor code, the hackers can break into bank accounts, apps and wallets, and steal a victim’s funds.


This mobile banking trojan which was first found targeting Turkish bank accounts in July 2020, has gone through several iterations, the most notable of which is the ability to abuse Android accessibility permissions to siphon funds from banking apps to an account controlled by the attacker.

“Medusa has other dangerous features like keylogging, accessibility event logging, and audio and video streaming — all of these capabilities provide actors with nearly full access to [a] victim’s device,” the researchers said.

To infect the devices, malware-infected applications masquerade as DHL and Flash Player apps. Furthermore, recent Medusa attacks have expanded their scope beyond Turkey to include Canada and the United States, with the operators running numerous botnets for each of their campaigns.

Coper Bot

Coper as a mobile banking trojan can send Unstructured Supplementary Service Data (USSD) requests, send SMS messages (and intercept them), lock and unlock the device screen, display push notifications, perform overlay attacks (display deceptive windows on specified apps), open URLs and run apps.

Also, Coper can log keystrokes (record data entered with a keyboard of the infected device), remove specified apps and remove itself (and its dropper). Additionally, certain Copper’s droppers ask for permission to access various features, add voicemails, call phone numbers, read and write from and to external storage, modify system settings, and access and read SMS messages.

It is known that Coper targets banking applications in Europe, Australia, and some parts of South America. It is known that it is impersonating apps called Bancolombia Personas and poses as a Google Play Store application. This malware attempts to reinstall itself after removal.

Get Legit Cash App Money Transfer  Now

What you can achieve with our Cashapp transfer service is unlimited unless you don’t know how to do business or probably spend money.


  • Cashtag $name
  • Cashapp Email
  • Cashapp Account Holder’s Full Name (To help us send with description to the holder)
  • Let us know of any specific instructions you will want us to add to your transfer, but if there are none then we will handle it


SharkBot gains control over a device by abusing the OS’s Accessibility Services. These functionalities are created to provide additional aid with reading/interacting with the device. Since the Android Accessibility Services include reading the screen (including typed data) and simulating/interacting with the touchscreen – SharkBot gains this level of control over compromised devices.

Following infiltration (if Android Accessibility Services are not enabled), this malware continuously displays pop-ups windows requesting permission to use these services. It can continue with its operations after being permitted.

The main goal of the SharkBot malware is to make monetary transactions via the Automatic Transfer Systems (ATS) feature. It allows cybercriminals to auto-fill form fields in banking apps and transfer money without needing to log in and bypassing 2FA. That feature can also be used to install other malicious applications.

Xenomorph malware

Cyber Security researcher  who analyzed the code, found it to be similar to the Alien banking trojan. This could mean it’s the next version of the Alien trojan or simply worked on by the same developer(s).

Currently it’s been seen targeting bank users in Belgium, Italy, Portugal and Spain. It is believed to have already infected more than 50,000 devices and has been distributed via the Google play store, more on that later. The goal is to steal your bank credentials, take over your accounts and perform unauthorized transactions. Then even sell on your login credentials on the dark web.

While disguised as benign-looking apps, these malicious remote access tools are intended to target mobile financial applications in an effort to commit on-device fraud and siphon funds directly from the victim’s accounts.

Furthermore, the rogue apps have the ability to avoid detection by frequently hiding their icons from the home screen, and they have been known to record keystrokes, capture clipboard data, and abuse accessibility services permissions in order to pursue their objectives such as credential theft.

Overlay attacks are used to direct a victim to a fake banking login page that appears atop genuine financial apps and can be used to steal the credentials entered.

Consequences of Mobile Banking Trojan Attacks

Such attacks can result in everything from data theft and financial fraud to regulatory fines and a loss of customer confidence.

“Over the last decade, the financial industry has completely shifted to mobile for banking, payments, and stock trading,” the researchers wrote. “While this transition provides consumers with increased convenience and new options, it also introduces novel fraud risks.”

Click Here to Get Legit Cash App Money Transfer


Get $500 Cashapp Get $750 Cashapp | Get $1k Cashapp | Get $2k Cashapp Get $5k Cashapp  | Get $4k CAshapp 

cashapp flip legit store

Leave a Comment

Your email address will not be published. Required fields are marked *