Banking Trojans Disguise as Government Apps to Target Android Users in Indonesia and Vietnam

Posted: September 24, 2025

Categories: Android Security, Banking Trojan

Tags: fp-3b, fp-3a, fp-2c, fp-2a, fp-1b

Author: Npav Lab

Infographic of Android banking trojan campaign: spoofed Play Store with WebSocket APK streaming, BankBot variants as fake apps (M-Pajak, BCA), domain clusters in Asia; icons for evasion, C2, and recommendations like blocking domains and verifying sources.

Since August 2024, financially motivated actors target Android users in Indonesia/Vietnam with BankBot.Remo trojans disguised as government apps (e.g., IdentitasKependudukanDigital.apk). Spoofed Google Play pages on icrossingappxyz[.]com use WebSocket/Socket.IO to stream APK chunks via progress bar, creating blob URLs to bypass filters and scanners—triggering browser warnings for sideloading.

Variants from 2016 leaked code include M-Pajak clones on twmlwcs[.]cc (SHA-256: e9d3f6211d4ebbe0c5c564b234903fbf5a0dd3f531b518e13ef0dcc8bedc4a6d) and open directories on dgpyynxzb[.]com/ykkadm[.]icu hosting fakes like BCA.apk/Livin.apk, all contacting C2 (saping.ynhqhu[.]com). Multilingual HTML templates indicate reused ops by sub-groups.

Over 100 domains share Alibaba ISP, Gname registrar, share-dns[.]net/Cloudflare NS, and Singapore/Indonesia IPs; registrations/DNS peak in Eastern Asia (UTC+7-9). Block C2, monitor WebSockets, educate on official sources to counter obfuscation.

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, FraudProtector.net

Sharing is caring!
Share

Tweet LinkedIn

← Previous Next →

Comment(s)