Over the past year, a notable surge has occurred in the emergence of ten new Android banking malware families. These malicious entities collectively set their sights on a staggering 985 financial applications across 61 countries, targeting both traditional banks and fintech/trading institutions.
Banking trojans, a distinct category of malware designed to compromise online bank accounts, have evolved beyond basic credential theft. Their tactics now include sophisticated methods such as stealing session cookies, circumventing two-factor authentication (2FA), and even autonomously executing financial transactions.
In a comprehensive analysis, it was revealed that, alongside the introduction of these ten new trojans in 2023, 19 families from the previous year underwent strategic modifications to enhance their capabilities and operational intricacy.
Several emerging trends were identified among these trojans. Notably, they include the incorporation of an automated transfer system (ATS) for capturing Multi-Factor Authentication (MFA) tokens and executing fund transfers, social engineering strategies where cybercriminals pose as customer support agents to deceive victims into downloading trojan payloads, the addition of live screen-sharing functionality for direct interaction with infected devices, and the sale of the malware as a subscription package to other cybercriminals, with prices ranging from $3,000 to $7,000 per month. Standard features across these trojans include keylogging, overlaying phishing pages, and stealing SMS messages.
A concerning development highlighted in the analysis is the expansion of banking trojans beyond financial theft. They are now targeting social media, messaging platforms, and personal data, signifying a shift in their malicious objectives.
The examination of the ten new banking trojans reveals a diverse range of disguises, with variants masquerading as utilities, productivity apps, entertainment portals, photography tools, games, and educational aids. These trojans include Nexus, Godfather, Pixpirate, Saderat, Hook, PixBankBot, Xenomorph v3, Vultur, BrasDex, and GoatRat.
Notably, banking trojans that existed in 2022 and received updates for 2023, such as Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper, continue to exhibit notable activity.
The United States remains the primary target, with 109 bank apps in its crosshairs, followed by the United Kingdom, Italy, Australia, Turkey, France, Spain, Portugal, Germany, and Canada.
To safeguard against these threats, users are advised to avoid downloading APKs from sources outside Google Play, conduct thorough research on app developers/publishers, scrutinize requested permissions during installation, exercise caution with updates from external sources, and refrain from clicking on links in SMS or email messages from unknown senders.