A more recent preview is currently building, try refreshing in a minute to get a link to the new preview
A more recent preview is available at
The latest preview is already live

Threat Fabric


Bankbot dropper hiding on Google Play


Today our ThreatFabric threat intel team found a suspicious looking Bankbot APK. After further investigation it turned out to be present in the Google Play Store:

Earn Real Money Gift Cards in the Google Play Store Earn Real Money Gift Cards additional information Bankbot in Google Play

As it turned out, there was also another APK from this developer. Apparently the guy is also an avid game developer. Initially it looked like a simple (and quite fun according to Wesley) game, but after some deeper investigation we became suspicous…

Bubble Shooter Wild Life in the Google Play Store Bubble Shooter Wild Life additional information Game in Google Play

Disecting the game

So on initial startup the game asks for permission to draw over other apps:

Permission request to draw over apps Permission request to draw over apps

This permission is most likely needed for the trickery it does after. According to the decompiled code the app should at some point be asking the user to enable the app as Accessibility Service. Because this didn’t happen automatically we decided to manually enable it:

Accessibility Service enabled Accessibility Service enabled

When the app obtains it’s Accessibility Service status it displays a screen saying it is performing a Google update. This screen is simply a “holding screen” to prevent the user from interfering with what is happening in the background: Using it’s elevated status the app enables “Unknown sources” through the settings activity and installs another APK file which is first copied from the APK assets to the sdcard. In the current app in the Play Store there is no APK present, which means nothing serious happens. Because we wanted to try this out we put a dummy app in the same location on the sdcard and started the dropper app. This is what happened:

Dropper installs APK from sdcard Dropper installs APK from sdcard

We also captured the above flow in a short clip, which can be seen below:


It looks like the developer is still working on improving his dropper app. Any new update to the app (the last one was 2 days ago) can add an embedded APK which will be installed after the app is started. With a simple campaign on social media the app can be spread rapidly, especially since the app appears to be a normal and fun game to the average user. As we have long expected droppers will probably become more common and be rented out as a service.


Bankbot app

- Google Play: https://play.google.com/store/apps/details?id=com.moneygift.real.app - Koodous: https://koodous.com/apks/b038b5dfceeb5b59d2abcd376814defb2a7022ba5b65cf917bf857439835e2e5

Dropper app

- Google Play: https://play.google.com/store/apps/details?id=com.bubblesooter.wildlife - Koodous: https://koodous.com/apks/b5420cd03ab440e770efb7900a12d831b318db96286df720900dc05955508f86

Demo or trial?

Contact us