Wroba: Banking Malware Spreads Across the US via SMS

New samples of this trojan were encountered on the smartphones of US users, which points to the possibility of a campaign aimed at expanding the number of affected users in these areas.


Ever since it first appeared in 2010, the Wroba mobile banking trojan has affected smartphone users in different parts of the world, especially in the APAC (Asia-Pacific) region.


Geographical distribution of attacks during 2015 -2016. Source: Kaspersky

However, lately criminals have expanded their targets and, judging by our findings, it appears that they have expanded their malware campaign to the US.

This trojan, which was born as a specific banking trojan for smartphones with Android operating systems, is capable of stealing information from files and passwords, collecting financial data from its victims and sending SMS text messages to the contacts it finds on the victim's phone in order to self-propagate in ways that increase its chances of success.

But that's not all, attempts have also been detected by the operators of this malware to attack users who use other terminals besides Android. In 2018, control servers were found in which samples for Android were distributed, but when they were visited by iOS users, they were redirected to a website with a phishing page to steal the credentials of their Apple accounts.


How Wroba Banking Malware Works?

According to Kaspersky researchers, the campaign that has been affecting users in the US is spread through fake text messages related to shipped packages. As we'll see below, the operation is simple and very popular.

The SMS text contains a link indicating that the package has been delivered and invites the user to click on it to review it in order to be able to pick it up. This technique is well known, and is used to achieve the objectives of many other criminals in the cybercrime field, since it can have a high success rate compared to other less efficient ones.

After the message, the flow of actions that occur when clicking on the link in the received text message differs depending on the operating system of the affected phone. With an Android phone, users will be redirected to a malicious website that will show them an alert indicating that their browser is out of date and that they need to update it as soon as possible. By clicking on "Accept", the malicious application begins to download, the analysis of which will be discussed in the next section.

However, for iOS users, the method is somewhat different. Wroba has been programmed by its creators in such a way that when it comes to iPhone users, when clicking on the link to check the status of the shipped package, users are redirected to a phishing page that simulates the Apple ID login page, in an attempt to collect the credentials of its victims. In this case, the malware isn't installed and it only tries to steal the victim's information.


Wroba Banking Malware Analysis

When analyzing an application downloaded on Android devices, we encountered several findings. The first one, a "Chrome" tag that is used to impersonate the legitimate browser, as we can see when we look at the package name.
Regarding the installation screen, when we take a look at it we can see that it tries to impersonate the Chrome browser, also using the icon of said application to make it appear more credible.


Manifest file

Regarding the structure of the APK, in addition to the typical scheme that we can find in Android applications, a file with an apparently random name is detected within the assets folder. By investigating it and analyzing its code, we end up being led to the payload that is ultimately a banking trojan from the Wroba family.


Suspicious directory

Regarding the capabilities of this malware, we found several. These include the capture and monitoring of incoming and outgoing SMS messages, or the ability to be spread via SMS by sending phishing messages to all of the phone's contacts.


Permissions of the analyzed APK.

Hash: ccdc5c71c18709cea46e8dce04f985e19c054abfcb19a7ee6d875a09e3aa39b1

Finally, and this is where its functionality as a banking trojan appears, Wroba is able to check the names of the packages of the banking applications installed on Android and overlay over them with their own ones, allowing them to capture the credentials of the affected users. This strategy is the well-known overlays technique, which we have already talked about on previous occasions.


Wroba has been active since 2010, and since then its main focus has been users from the APAC region. Its developers have focused on the theft of bank accounts, as well as passwords and other sensitive data sent by banks to authenticate the client.

Recently, new samples of this trojan were encountered on the smartphones of US users, which points to the possibility of a campaign aimed at expanding the number of affected users in these areas.

It's therefore important that we look out for any new developments with this malware since this new strategy implemented by cybercriminals could allow it to spread to other continents.

Posted by David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.



buguroo’s cloud-based fraud detection delivers a straightforward solution for detecting and stopping today’s – and tomorrow’s malware threats. Banks and their customers can be protected from one of the most malicious threats in use by cybercriminals.


Solicita una demo

Would you like to know how our solution protects your bank?

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video