New Banker Android

In the last month, several samples have been detected of what appears to be a new bank trojan for Android. This potential new family shares certain similarities with Cerberus and Eventbot, although it doesn't seem to be either of the two due to certain key differences, such as the encryption of the data sent and received from the control server and the commands that can be executed on the device through the server.

We've discarded the possibility of it being a new iteration of one of these two families, since it doesn't present one of the most important characteristics that complicates their analysis: the encryption and obfuscation of text strings. In the case of Eventbot, we've recently detected samples that have taken a step even further in the encryption and obfuscation of strings, as we've already mentioned in our blog, therefore it's impossible for these samples to be a new version of this family.

It doesn't feature any significant new developments compared to the other families of Android bankers, and the theft of credentials follows the usual pattern: injections displayed through overlays. As soon as the user opens up the legitimate bank application, or any other non-bank application that's affected, the trojan detects the launch of the app through the accessibility service that it installs and initiates the overlay with a phishing website that's very similar to the login form of the application it's impersonating.

The theft of credentials is this family's main functionality, as is the case with other families of Android bank malware such as Cerberus, Anubis Bankbot, GINP or Eventbot. However, and like most malware families, it also includes functionalities that go beyond the theft of credentials, such as the theft of received and sent text messages, the sending of spam messages to contacts, or even the SMS flood attack that uses an infected device to overload a phone number indicated by the attacker.



New Android Banker

In addition to the typical overlays strategy, this malware also includes a keylogger functionality, also based on the accessibility service. With this functionality, the malware is able to eavesdrop on change events in text fields, from which it can obtain the content to send it to the control server. 

This way, not only can it steal the credentials of any installed application, but any other type of information that the victim ends up entering on their device.


Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of buguroo’s development team, managing task distribution and negotiating with the Head of Technology.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video