Overlays: The preferred technique for bankers in Android

Nine years have passed since the first banking malware for Android mobile devices was discovered. It was 2010, and just a year and a half had passed since the launch of HTC Dream, the first smartphone with Android as its operating system.

This first banking Trojan did not steal bank login credentials as such, but was responsible for stealing authorization codes for banking transactions sent to the user by SMS. It was baptized "Zitmo" (Zeus-in-the-mobile), as it was used together with the Zeus banking Trojan for Windows. Attackers stole login credentials through Zeus, while Zitmo allowed them to steal authorization codes to gain access to hacked accounts and authorize fraudulent transactions.


Banking malware evolution

Android has changed since Zitmo appeared, and attackers' techniques for stealing banking data from infected users have changed along with it. One very striking point is that it is currently difficult to find a banking malware as such. Instead, most of the banking Trojans are much more than that. They are complex, multi-functional Trojans: SMS theft, contact theft, bulk SMS sending to contacts, ransomware, etc.

We have observed that over the years banking malware's operational scheme has not changed much, but its complexity has. From the beginning, bank credential theft has been based on showing 'overlays', windows that open above the banking application's legitimate window. These fraudulent windows basically contain a form very similar to the original; their objective is for the user to enter their credentials and send them to the control server.

Although there is currently banking malware for Android, it should be noted that the banking Trojans for Android are really complete spy Trojans, with much more functionality than that needed for the theft of banking credentials. This is because malware authors do not usually seek to infect their victims; they want to sell their software to third parties, who can configure all the functionalities that interest them in just a few steps and distribute the Trojan.


Credential theft with ‘overlays’

Among the most popular banking Trojans today are Anubis Bankbot and Cerberus. Other bankers whose popularity has declined are RedAlert and Marcher. New samples from the latter two have been very rare for months, while Anubis and Cerberus are up-and-coming Trojans at the moment.

The technique used by all Android banking Trojans to steal login credentials is based on displaying overlays. The malware obtains the complete list of applications installed on the device, something that is simple to do and does not require special permissions.

Once the installed applications have been identified, the Trojan can determine which of them it should attack. Next comes the most complex part: detecting the moment in which the application is initiated by the user. Once the malware has started, it will simultaneously open a window that simulates the window of the affected entity requesting the account login credentials.

To detect the launch of the affected application, banking Trojans usually implement an Android service. This service will check the list of active processes in the system again and again, to see if any of the affected applications is running at any time.

One of the ways used in Anubis to obtain the list of active processes is to use the Android API 'UsageStatsManager' class. Through this class, the malicious application is able to obtain the list of processes running and the last time they ran in the foreground. Thanks to this information, the Trojan is able to know what application is running in the foreground at all times.


Code responsible for obtaining the foreground application (Anubis)

By default, an application cannot have access to usage statistics if it does not request the 'PACKAGE_USAGE_STATS' permission, so the malware is obliged to request this permission at least.

Another usual permission is 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', which allows the malicious application to continue its execution regardless of whether the user has energy saving settings configured. Remember that one of the problems of this type of malware is that they need to constantly run a service that checks the processes in execution.

Once it has been detected that an affected application is running, the malware quickly launches the 'overlay' with phishing. Showing the 'overlay' doesn't require any complex tricks, as an 'Activity' can be launched like any other Android application. The only drawback is that if the user presses the 'multitasking' button, they will be able to see all open applications, which includes the legitimate banking application and the malicious application's activity.


Code responsible for initializing the phishing 'WebView' (Anubis)

Most banking malware carries out its activity with the false login form using a 'WebView'. This 'WebView' will load a phishing website hosted on the malware control server, allowing the malware to simplify the development of phishing windows and update the style quickly if necessary.


bankers-android-overlays-03Legitimate application

bankers-android-overlays-04Fraudulent ‘WebView’


Although most malware uses 'WebViews', some of them also include native activities. One example is Marcher.

To achieve persistence in the system and start the malicious service every time the system is started, these Trojans configure the 'receiver' 'RECEIVE_BOOT_COMPLETED' in the malicious service, which will allow the system to start the service when the system boots.



As we can see, shortly after the launch of the first smartphone Android attackers already saw the potential that mobile devices would have and developed the first banking malware, 'Zitmo'. However, it did not steal the credentials by itself; it acted as support for the 'Zeus' malware for Windows.

Over the years, the functionality destined to the theft of banking credentials has not evolved too much. However, malware authors seem to prefer an evolution based on the increase of functionalities, which allows them to have generic malware that includes several types in one.

This trend towards the development of generic malware not only allows them to obtain benefits through the theft of banking data; it also provides them with profits through other functionalities: ransomware, bulk sending of SPAM messages, etc.

Moreover, the generic development allows them to obtain economic profits without the need to infect users directly, selling malicious software through 'underground' forums on the 'deep web', which reduces difficulties and increases profit.

Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of buguroo’s development team, managing task distribution and negotiating with the Head of Technology.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video

Did you like it? Share in your social communities.