Skip to content

Deceive the Heavens to Cross the sea

17 November 2021

300.000+ infections via Droppers on Google Play Store

The “Deceive the Heavens to Cross the sea” stratagem comes from the first chapter of the ‘Thirty-Six Stratagems’, a famous Chinese collection of tactics and techniques used in politics, war and civil life. It translates to “hide in plain sight” or “mask your true goals”.

Android banking trojan actors have taken this stratagem to heart and have been very adaptable over years to new Google Play app store restrictions introduced to limit their operations. These restrictions include setting limitations on the use of certain (dangerous) app permissions, which play a big role in distributing or automating malware tactics.

In this blog we will discuss the recent techniques used to spread Android banking trojans via Google Play (MITRE T1475) resulting in significant financial loss for targeted banks. We will also discuss the, sometimes forgotten, by-product of collecting contacts and keystrokes by Banking trojans, resulting in severe data leakage.

Tactics used by threat actors


What makes these Google Play distribution campaigns very difficult to detect from an automation (sandbox) and machine learning perspective is that dropper apps all have a very small malicious footprint. This small footprint is a (direct) consequence of the permission restrictions enforced by Google Play.

A good example is the modification introduced on November 13th, 2021 by Google, which limits the use of the Accessibility Services, which was abused by earlier dropper campaigns to automate and install apps without user consent.

This policing by Google has forced actors to find ways to significantly reduce the footprint of dropper apps. Besides improved malware code efforts, Google Play distribution campaigns are also more refined than previous campaigns. For example, by introducing carefully planned small malicious code updates over a longer period in Google Play, as well as sporting a dropper C2 backend to fully match the theme of the dropper app (for example a working Fitness website for a workout focused app).

To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world. This makes automated detection a much harder strategy to adopt by any organization.

VirusTotal does not showcase the evolution of detections of antivirus products over time, but almost all campaigns have or had a 0/62 FUD score on VirusTotal at some point in time, confirming the difficulty of detecting dropper apps with a minimal footprint.


Families and statistics

In the paragraphs below we outline the Modus Operandi (MO) of each of the families distributed recently via Google Play. Each of these families has its own banking apps target list, which can be found in the Appendix.


Anatsa campaign

During the research dedicated to the distribution techniques of different malware families, our analysts found numerous droppers located in Google Play, designed to distribute specifically the banking trojan Anatsa. Anatsa was discovered by ThreatFabric in January 2021.

Anatsa is a rather advanced Android banking trojan with RAT and semi-ATS capabilities. It can also perform classic overlay attacks in order to steal credentials, accessibility logging (capturing everything shown on the user’s screen), and keylogging. Previously ThreatFabric reported cases when Anatsa was distributed side-by-side with Cabassous in smishing campaigns all over Europe. Our latest findings show that Anatsa now utilizes Google Play dropper apps.

Thousands of victims

We discovered the first dropper in June 2021 masquerading as an app for scanning documents. In total, ThreatFabric analysts were able to identify 6 Anatsa droppers published in Google Play since June 2021.


These apps posed as QR code scanners, PDF scanners, and cryptocurrency apps. One dropper app was installed more than 50.000 times, with the combined total of installations of all droppers reaching more than 100.000 installations.


The process of infection with Anatsa looks like this: upon the start of installation from Google Play, the user is forced to update the app in order to continue using the app. In this moment, Anatsa payload is downloaded from the C2 server(s), and installed on the device of the unsuspecting victim.

Actors behind it took care of making their apps look legitimate and useful. There are large numbers of positive reviews for the apps. The number of installations and presence of reviews may convince Android users to install the app. Moreover, these apps indeed possess the claimed functionality, after installation they do operate normally and further convince victim in their legitimacy.

Despite the overwhelming number of installations, not every device that has these droppers installed will receive Anatsa, as the actors made efforts to target only regions of their interest. We will cover this and other technical details in the next section.

Technical details

All Anatsa droppers look similar code-wise. Upon the start of the app, a service is started to check if the “update” was installed. The dropper makes a request towards the C2 sending information about the device, including device ID, device name, locale, country, Android SDK version.


As mentioned previously, not every device will receive the “update”. At this point, the C2 backend decides whether to provide the Anatsa payload or not based on the device information. Depending on the C2 response, the dropper will decide whether or not to download Anatsa.


Such approach allows actors to target devices from specific regions and easily switch focus to another area. This behavior is in line with Anatsa moving from region to region, constantly updating its list of targeted financial institutions. Moreover, filtering allows cybercriminals to prevent the dropper from downloading the “update” during the evaluation process when publishing the app on Google Play.

Our analysts have identified Anatsa droppers that initially (in their first versions published on Google Play) had no malicious functionality, but modified their behavior in later versions, adding the dropping functionality, and a wider set of permissions required.


When all conditions are met and the payload is ready, the user will be prompted to download and install it.


After successfully downloading the “update”, the user will be asked for the permission to install apps from unknown sources. The user, previously convinced that the update is necessary for the app to work properly, grants the permission. After the installation is complete, Anatsa is running on the device and immediately asks the victim to grant Accessibility Service privileges.


After enabling Accessibility Service, Anatsa has full control over the device and can perform actions on the victim’s behalf. At the same time, the dropper app is also running and operating as a legitimate app, the victim will probably remain unsuspecting.

Hydra and Ermac campaign

Brunhilda : The return of the Valkyrie

ThreatFabric identified multiple instances of malware dropped by the Brunhilda threat actor group, and in line with previous campaigns, it constituted of trojanized apps. Brunhilda was observed dropping different malware families.

In the first case, we observed Brunhilda posing as a QR code creator app, Brunhilda dropped samples from established families, like Hydra, as well as novel ones, like Ermac.


The apps dropped by this Brunhilda campaign do not differ in functioning too much from the previous versions we have observed during 2021. As it did in the previous iterations, Brunhilda sends a registration request to its C2 using the gRPC protocol. Upon successful registration, and after communicating more detailed information about the device, the dropper is instructed by the C2 to download and install the payload package.


Both families have been very active in the last months, even adventuring to markets that were previously untapped, like the United States. This new wave of malware, which started in August 2021, includes also other families like Gustuff and Anatsa.


Alien campaign

As mentioned before, ThreatFabric observed Brunhilda serving different malware families. Some samples were observed having more than 50.000+ installations, and dropping the android trojan Alien.


Also in this case, as it happened with the deployment of Vultur, these aps reached thousands of downloads before being taken down from the store. The samples were very successful in their operation, with samples ranging from 5.000+ downloads to the impressive values of 50.000+ downloads. With these numbers in mind, it is fair to say that this dropper family was likely able to infect hundreds of thousands of victims during its operation.

Gymdrop : a Gym you do not want to visit

In November 2021 ThreatFabric analysts discovered yet another dropper in Google Play. It had 10.000+ installations and masquerades as an app for self-training.


This dropper, that we dubbed “Gymdrop”, is another example of how cybercriminals try to convince victims and detection systems that their app is legitimate. The app website is designed to look legitimate at first glance. However, it is only a template for a gym website with no useful information on it, even still containing ‘Lorem Ipsum’ placeholder text in its pages.


The developer website also serves as C2 for Gymdrop. Just like previously observed, this dropper tried to convince victims to install a fake update. However, in this case, it is done in a more inventive way: the payload is posed as a new package of workout exercises in conformity with the app. After the user clicks “OK”, the dropper will request the permissions needed.


Shortly after the dropper gets its configuration from the C2. The configuration file contains the link to download the payload. Moreover, the configuration contains filter rules based on device model. Based on the models being filtered out and the code of the dropper, we can draw a conclusion that this is done to avoid downloading the payload on emulators or research environment.


If all conditions are met, the payload will be downloaded and installed. This dropper also does not request Accessibility Service privileges, it just requests permission to install packages, spiced with the promise to install new workout exercises - to entice the user to grant this permission. When installed, the payload is launched. Our threat intelligence shows that at the moment this dropper is used to distribute Alien banking trojan.


While writing this blog post, Gymdrop was updated (a new version was uploaded to Google Play). However, the configuration file was not found on C2. It could probably be done to not serve the payload to pass security checks performed by Google before publishing the update on Google Play.

2 dropper APPS to boost botnet-building

It is worth mentioning that the Alien samples of this campaign connect to the same C2 as samples from previously described campaign powered by Brunhilda dropper.


This leads us to the conclusion that the actor(s) behind these Alien campaigns use at least 2 different dropper services in their distribution strategy.



In the span of only 4 months, 4 large Android families were spread via Google Play, resulting in 300.000+ infections via multiple dropper apps.

A noticeable trend in the new dropper campaigns is that actors are focusing on loaders with a reduced malicious footprint in Google Play, considerably increasing the difficulties in detecting them with automation and machine learning techniques.

The small malicious footprint is a result of the new Google Play restrictions (current and planned) to put limitations on the use of privacy concerning app permissions. Permissions such as Accessibility Service, which in previous campaigns was one of the core tactics abused to automate the installation process of Android banking trojans via dropper apps in Google Play.

By limiting the use of these permissions, actors were forced to choose the more conventional way of installing apps, which is by asking the installation permission, with the side-effect of blending in more with legitimate apps. This is one of the core reasons of the significant success of mobile banking threat actors in sneaking into Google’s trusted app store.

A second big factor behind their success is that actors have set restrictions, with mechanisms to ensure that the payload is installed only on the victim’s device and not on testing environments. To achieve this, criminals use a multitude of techniques, which range from location checks to incremental malicious updates, passing by time-based de-obfuscation and server-side emulation checks.

This incredible attention dedicated to evading unwanted attention renders automated malware detection less reliable. This consideration is confirmed by the very low overall VirusTotal score of the 9 number of droppers we have investigated in this blogpost.

How we help our customers

ThreatFabric makes it easier than it has ever been to run a secure mobile payments business. With the most advanced threat intelligence for mobile banking, financial institutions can build a risk-based mobile security strategy and use this unique knowledge to detect fraud-by-malware on the mobile devices of customers in real-time.

Together with our customers and partners, we are building an easy-to-access information system to tackle the ever-growing threat of mobile malware targeting the financial sector. We especially like to thank the Cyber Defence Alliance (CDA) for collaborating and proactively sharing knowledge and information across the financial sector to fight cyber-threats.

ThreatFabric has partnerships with TIPs all over the world.

If you want to request a free trial of our MTI-feed, or want to test our own MTI portal for 30 days, feel free to contact us at:

If you want more information on how we detect mobile malware on mobile devices, you can directly contact us at:

Appendix: IOC

Brunhilda Dropper Samples

App name Package name SHA-256
Two Factor Authenticator com.flowdivison a3bd136f14cc38d6647020b2632bc35f21fc643c0d3741caaf92f48df0fc6997
Protection Guard d3dc4e22611ed20d700b6dd292ffddbc595c42453f18879f2ae4693a4d4d925a
QR CreatorScanner com.ready.qrscanner.mix ed537f8686824595cb3ae45f0e659437b3ae96c0a04203482d80a3e51dd915ab
Master Scanner Live com.multifuction.combine.qr 7aa60296b771bdf6f2b52ad62ffd2176dc66cb38b4e6d2b658496a6754650ad4

Brunhilda Dropper C2 URL


Anatsa Dropper Samples

App name Package name SHA-256
QR Scanner 2021 com.qr.code.generate 2db34aa26b1ca5b3619a0cf26d166ae9e85a98babf1bc41f784389ccc6f54afb
QR Scanner com.qr.barqr.scangen d4e9a95719e4b4748dba1338fdc5e4c7622b029bbcd9aac8a1caec30b5508db4
PDF Document Scanner - Scan to PDF com.xaviermuches.docscannerpro2 2080061fe7f219fa0ed6e4c765a12a5bc2075d18482fa8cf27f7a090deca54c5
PDF Document Scanner 974eb933d687a9dd3539b97821a6a777a8e5b4d65e1f32092d5ae30991d4b544
PDF Document Scanner Free 16c3123574523a3f1fb24bbe6748e957afff21bef0e05cdb3b3e601a753b8f9d
CryptoTracker 1aafe8407e52dc4a27ea800577d0eae3d389cb61af54e0d69b89639115d5273c

Anatsa Dropper C2 URL


Gymdrop Dropper Samples

App name Package name SHA-256
Gym and Fitness Trainer com.gym.trainer.jeux 30ee6f4ea71958c2b8d3c98a73408979f8179159acccc01b6fd53ccb20579b6b
Gym and Fitness Trainer com.gym.trainer.jeux b3c408eafe73cad0bb989135169a8314aae656357501683678eff9be9bcc618f

Gymdrop Dropper C2 URL


Malware Samples dropped

Malware Family App name Package name SHA-256
Alien.A Master Scanner Live leaf.leave.exchang 74407e40e1c01e73087442bcdf3a0802121c4263ab67122674d9d09b3edf856e
Alien.A Gym and Fitness Trainer gesture.enlist.say e8cbcc34af3bd352767b7a9270dd684a50da2e68976a3712675526a7398550a0
Anatsa.A PDF AI : TEXT RECOGNIZER com.uykxx.noazg d42e0d3db3662e809af3198da67fdbd46d5c2a1052b5945401e4cdd06c197714
Hydra.C QR CreatorScanner com.cinnamon.equal 9ab66c1b7db44abaa53850a3d6a9af36c8ad603dab6900caba592497f632349f
Ermac.A QR CreatorScanner com.tag.right fd7e7e23db5f645db9ed47a5d36e7cf57ca2dbdf46a37484eafa1e04f657bf02

Appendix: Targeted apps

Alien.A Targets

Package Name App Name
com.kubi.kucoin KuCoin: Bitcoin Exchange & Crypto Wallet ABANCA - Portugal
com.bitfinex.mobileapp Bitfinex Changelly: Buy Bitcoin BTC & Fast Crypto Exchange
es.liberbank.cajasturapp Banca Digital Liberbank Millenniumbcp Openbank – banca móvil
pt.bctt.appbctt Banco CTT
com.exictos.mbanka.bic Banco BIC, SA Pro: Advanced Bitcoin & Crypto Trading
com.plunien.poloniex Poloniex Crypto Exchange Kutxabank
com.bitpay.wallet BitPay – Secure Bitcoin Wallet Binance - Buy & Sell Bitcoin Securely BBVA Net Cash ES & PT Coinbase – Buy & Sell Bitcoin. Crypto Wallet
com.rsi.Colonya Colonya Caixa Pollença TransferWise Money Transfer BPI APP
com.bancamarch.bancamovil Banca March
com.mycelium.wallet Mycelium Bitcoin Wallet Cajasur
com.tecnocom.cajalaboral Banca Móvil Laboral Kutxa
net.bitbay.bitcoin Bitcoin & Crypto Exchange - BitBay
es.evobanco.bancamovil EVO Banco móvil
com.bankinter.portugal.bmb Bankinter Portugal Gmail Best Bank
com.wavesplatform.wallet Waves.Exchange Bitstamp – Buy & Sell Bitcoin at Crypto Exchange
es.bancosantander.apps Santander Microsoft Outlook: Organize Your Email & Calendar OKEx - Bitcoin/Crypto Trading Platform
com.grupocajamar.wefferent Grupo Cajamar
com.bankinter.launcher Bankinter Móvil Bankia
pt.novobanco.nbapp NB smart app Caja de Ingenieros Banca MÓVIL
es.ibercaja.ibercajaapp Ibercaja
pt.santandertotta.mobileempresas Santander Empresas
es.pibank.customers Pibank Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum NBapp Spain
com.mediolanum Banco Mediolanum España Google Play BBVA Portugal Cash App
es.caixagalicia.activamovil ABANCA- Banca Móvil
es.univia.unicajamovil UnicajaMovil
org.electrum.electrum Electrum Bitcoin Wallet WiZink, tu banco senZillo Yahoo Mail – Organized Email Caixadirecta Connect for Hotmail & Outlook: Mail and Calendar mail imaginBank - Your mobile bank
es.caixaontinyent.caixaontinyentapp Caixa Ontinyent
www.ingdirect.nativeframe ING España. Banca Móvil
eu.atlantico.bancoatlanticoapp MY ATLANTICO BBVA Spain CitiManager – Corporate Cards CA Mobile PayPal Mobile Cash: Send and Request Money Fast
com.rsi ruralvía
es.cecabank.ealia2103appstore UniPay Unicaja ActivoBank - CaixaBank
com.db.pbc.mibanco Mi Banco db
com.targoes_prod.bad TARGOBANK - Banca a distancia

Ermac.A Targets

Package Name App Name
eu.inmite.prj.kb.mobilbank Mobilni Banka
com.greater.Greater Greater Bank TSB Mobile Banking Link Celular CaixaBank
com.IngDirectAndroid ING France
es.bancosantander.apps Santander
com.ocito.cdn.activity.creditdunord Crédit du Nord pour Mobile
pl.ideabank.mobilebanking Idea Bank PL Bi en Línea
org.banking.bsa.businessconnect BankSA Business App
pl.envelobank.aplikacja EnveloBank Banco Sabadell App. Your mobile bank Kotak - 811 & Mobile Banking ING Australia Banking
com.getingroup.mobilebanking Getin Mobile My AMP
com.magiclick.odeabank Odeabank
com.mtel.androidbea BEA 東亞銀行
eu.eleader.mobilebanking.pekao.firm PekaoBiznes24
org.banking.stg.businessconnect St.George Business App
softax.pekao.powerpay PeoPay
com.rsi ruralvía HSBC Malaysia TD Canada BankSA Mobile Banking Bank of Melbourne Mobile Banking
com.zoluxiones.officebanking Banco Santander Perú S.A. Simplii Financial
es.evobanco.bancamovil EVO Banco móvil
com.latuabancaperandroid Intesa Sanpaolo Mobile
com.fusion.beyondbank Beyond Bank Australia Royal Bank of Scotland Mobile Banking
com.unicredit Mobile Banking UniCredit
com.tarjetanaranja.emisor.serviciosClientes.appTitulares Naranja NPBS Mobile Banking Suncorp Bank
de.traktorpool tractorpool
hu.cardinal.erste.mobilapp Erste Business MobilBank Bankwest
it.popso.SCRIGNOapp SCRIGNOapp
de.dkb.portalapp DKB-Banking Interbank APP Banca MPS
de.consorsbank Consorsbank
com.isis_papyrus.raiffeisen_pay_eyewdg Raiffeisen ELBA VR Banking Classic
com.pozitron.iscep İşCep - Mobile Banking Bank Millennium
es.ibercaja.ibercajaapp Ibercaja Usługi Bankowe
com.krungsri.kma KMA ING Italia
com.mobillium.papara Papara SecureApp netbank
com.nearform.ptsb permanent tsb
com.konylabs.cbplpat Citi Handlowy
com.lynxspa.bancopopolare YouApp ŞEKER MOBİL ŞUBE
com.appfactory.tmb Teachers Mutual Bank ME Bank
com.kasikorn.retail.mbanking.wap K PLUS
com.infrasofttech.MahaBank Maha Mobile
com.pttfinans PTTBank
es.univia.unicajamovil UnicajaMovil CommBiz Maybank2u MY
es.pibank.customers Pibank
de.ingdiba.bankingapp ING Banking to go
com.fusion.banking Bank Australia app
com.tecnocom.cajalaboral Banca Móvil Laboral Kutxa George Magyarország myRAMS
com.teb CEPTETEB
eu.netinfo.colpatria.system Scotiabank Colpatria
de.santander.presentation Santander Banking Openbank – banca móvil
pl.raiffeisen.nfc Mobilny Portfel
pt.novobanco.nbapp NB smart app Metro Bank
com.tmobtech.halkbank Halkbank Mobil – Germany‘s largest car market Mes Comptes BNP Paribas
com.mercadolibre Mercado Libre: compra fácil y rápido MBNA - Card Services App
hu.cardinal.cib.mobilapp CIB Business Online
fr.creditagricole.androidapp Ma Banque 楽天銀行 -個人のお客様向けアプリ Bank of Melbourne Business App Moje ING mobile
pl.pkobp.ipkobiznes iPKO biznes
com.usbank.mobilebanking U.S. Bank - Inspired by customers
pl.pkobp.iko IKO ANZ Transactive - Global
com.bankofqueensland.boq BOQ Mobile
com.ingbanktr.ingmobil ING Mobil
com.tdbank TD Bank (US) SCB EASY
com.Version1 PNB ONE
net.garagecoders.e_llavescotiainfo ScotiaMóvil ASB Mobile Banking BNP Paribas GOMobile
com.woodforest Woodforest Mobile Banking Banca Transilvania HSBC UK Mobile Banking Bancolombia App Personas Itaú Uruguay KeyBank Mobile BNL CUA Mobile Banking Yapı Kredi Mobile Krungthai NEXT
com.santander.bpi Santander Private Banking
posteitaliane.posteapp.apppostepay Postepay Tesco Mobile
es.ceca.cajalnet Cajalnet
com.scotiabank.banking Scotiabank Mobile Banking
it.nogood.container UBI Banca Noble Mobile
com.suntrust.mobilebanking SunTrust Mobile App
pl.eurobank2 eurobank mobile 2.0
com.mobileloft.alpha.droid myAlpha Mobile Union Bank Mobile Banking
pl.millennium.corpApp Bank Millennium for Companies HSBC Australia Sparkasse Ihre mobile Filiale
org.westpac.col Westpac Corporate Mobile Macquarie Mobile Banking
finansbank.enpara Cep Şubesi St.George Mobile Banking
com.mcom.firstcitizens First Citizens Mobile Banking
fr.laposte.lapostemobile La Poste - Services Postaux
es.bancosantander.empresas Santander Empresas Mes Comptes - LCL
fr.banquepopulaire.cyberplus Banque Populaire Santander Mobile Banking Mobile BiznesPl@net
pl.fakturownia BPI APP
de.commerzbanking.mobil Commerzbank Banking - The app at your side comdirect mobile App Kutxabank
pt.santandertotta.mobileparticulares Santander Particulares
es.caixageral.caixageralapp Banco Caixa Geral España Itaú Empresas: Controle e Gestão do seu Negócio Millenniumbcp Yono Lite SBI - Mobile Banking Oney France
pl.bzwbk.bzwbk24 Santander mobile
com.vancity.mobileapp Vancity ING Business HDFC Bank MobileBanking
es.caixagalicia.activamovil ABANCA- Banca Móvil
tsb.mobilebanking TSB Bank Mobile Banking
com.zellepay.zelle Zelle
ma.gbp.pocketbank Pocket Bank
de.postbank.finanzassistent Postbank Finanzassistent Bendigo Bank
es.liberbank.cajasturapp Banca Digital Liberbank Budapest Bank Mobil App PNC Mobile
eu.atlantico.bancoatlanticoapp MY ATLANTICO
pl.bps.bankowoscmobilna BPS Mobilnie
eu.unicreditgroup.hvbapptan HVB Mobile Banking
com.konylabs.HongLeongConnect Hong Leong Connect Mobile Banking
pl.aliorbank.aib Alior Mobile People’s United Bank Mobile UBank Mobile Banking N26 — The Mobile Bank
cz.csob.smartbanking ČSOB Smartbanking L’Appli Société Générale VakıfBank Mobil Bankacılık ANZ Australia
mbanking.NBG NBG Mobile Banking
pl.bph BusinessPro Lite CA24 Mobile
com.quoine.quoinex.light Liquid by Quoineライト版(リキッドバイコイン) -ビットコインなどの仮想通貨取引所 ANZ Shield
pl.bzwbk.ibiznes24 iBiznes24 mobile HSBC Turkey
com.kuveytturk.mobil Kuveyt Türk
com.ziraat.ziraatmobil Ziraat Mobile
com.targo_prod.bad TARGOBANK Mobile Banking NAB Mobile Banking
com.samba.mb SambaMobile Westpac Mobile Banking
pl.ifirma.ifirmafaktury IFIRMA - Darmowy Program do Faktur RBC Mobile
com.tideplatform.banking Tide - Smart Mobile Banking SBI Anywhere Corporate
hu.mkb.mobilapp MKB Mobilalkalmazás
com.todo1.davivienda.mobileapp Davivienda Móvil 住信SBIネット銀行 Navy Federal Credit Union
com.infrasofttech.CentralBank Cent Mobile Capital One® Mobile Bankia
pl.mbank mBank PL Wells Fargo Mobile
gr.winbank.mobilenext Winbank Mobile Western Union ES - Send Money Transfers Quickly
com.snapwork.IDBI IDBI Bank GO Mobile+ CommBank
mx.bancosantander.supermovil Santander móvil NatWest Mobile Banking
it.carige Carige Mobile USAA Mobile
eu.eleader.mobilebanking.pekao Pekao24Makler

Anatsa.A Targets

Package Name App Name HSBC UK Mobile Banking Chase Mobile Wells Fargo Mobile Citi Mobile® Capital One® Mobile Bank of America Mobile Banking J.P. Morgan Mobile
com.usbank.mobilebanking U.S. Bank - Inspired by customers Truist Mobile - Banking Made Better PNC Mobile
com.tdbank TD Bank (US) Schwab Mobile
com.statestreetbank.grip State Street Bank HSBC US
com.citizensbank.androidapp Citizens Bank Mobile Banking
com.syf.synchronybank Synchrony Bank Credit One Bank Mobile Clydesdale Bank Mobile Banking Fidelity Investments Earn Cash Reward: Make Money Playing Games & Music Robinhood - Investment & Trading, Commission-free
com.moneylion MoneyLion: Mobile Banking App Sable Virgin Money Mobile Banking Yorkshire Bank Mobile Banking Clydesdale Bank Mobile Banking Algorand Wallet Coinbase – Buy & Sell Bitcoin. Crypto Wallet - Buy Bitcoin Now Monese - Mobile Money Account for UK & Europe Binance - Buy & Sell Bitcoin Securely Mobile Bank UK – Danske Bank Ulster Bank NI Mobile Banking NatWest Mobile Banking NatWest International
com.plunien.poloniex Poloniex Crypto Exchange
com.wallet.crypto.trustapp Trust: Crypto & Bitcoin Wallet The Co-operative Bank Metro Bank Starling Bank - Better Mobile Banking
io.metamask MetaMask - Buy, Send and Swap Crypto Monzo Bank Binance.US Kraken - Buy Bitcoin & Crypto
com.blockfolio.blockfolio Blockfolio - Bitcoin and Cryptocurrency Tracker Gemini: Buy Bitcoin Instantly
com.okinc.okcoin.intl Okcoin - Buy & Trade Bitcoin, Ethereum, & Crypto Barclays
com.tideplatform.banking Tide - Smart Mobile Banking Halifax: the banking app that gives you extra Lloyds Bank Mobile Banking: by your side USAA Mobile BlockFi - Buy, Earn, Borrow Crypto Marcus by Goldman Sachs® Union Bank Mobile Banking PenFed Navy Federal Credit Union
com.stash.stashinvest Stash: Invest, Bank, Save
com.regions.mobbanking Regions Bank Varo Bank: Mobile Banking Current - Modern Banking
com.huntington.m Huntington Mobile
com.clairmail.fth Fifth Third Mobile Banking Mint: Personal Finance Manager Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum TDECU Digital Banking FirstBank Digital Banking App
com.oneazcu.banking OneAZ Mobile Banking
com.axos.udb Axos Bank®
com.etrade.mobilepro.activity E*TRADE: Invest. Trade. Save. Suncoast SunMobile
com.firsttech.firsttech First Tech Federal CU SECU SECU
com.softek.ofxclmobile.warrenfcu Blue FCU Mobile Banking App
com.bethpage.bethpage Bethpage Mobile Banking MyOCCU Mobile Banking
com.ifs.banking.fiid3160 Tru2Go Truliant Mobile Banking
com.desertschools.mobilebanking Desert Financial Mobile
com.nymfcu.nymfcu NYMCU Mobile Banking
com.softek.ofxclmobile.summitcu Summit Credit Union Mobile
com.fi7453.godough PFFCU Mobile Banking
com.cuamerica.cuamerica Credit Union of America
com.ifs.banking.fiid3337 Arizona Federal Mobile Banking
com.ksfcu.ksfcu Valley Strong DataMobile
com.ifs.mobilebanking.fiid9094 Service CU Mobile Banking Scott Credit Union
com.socalcu.socalcu CU SoCal Mobile Banking
com.q2e.unitedfcu5017android.ufcu.uwnmobile United Federal Credit Union
com.credituniononecu.credituniononecu NEW - Credit Union One Michigan DCFCU Mobile
com.ifs.mobilebanking.fiid3919 Associated Credit Union Mobile
com.ifs.banking.fiid1359 WPCU Mobile Banking
com.growfinancialfcu.growfinancialfcu Grow Mobile Banking
com.nexowallet Nexo - Crypto Banking Account
com.investvoyager Voyager: Crypto Made Simple
com.mobileloft.alpha.droid myAlpha Mobile
mbanking.NBG NBG Mobile Banking Viva Wallet
gr.winbank.mobilenext Winbank Mobile
com.EurobankEFG Eurobank Mobile App
io.sperax.wallet Sperax Play
ru.sberbankmobile Сбербанк Онлайн ОТП Банк
ru.letobank.Prometheus Почта Банк Liberty Tinkoff Мобильный банк УРАЛСИБ
gr.nbg.go4more go4more
com.ubanksu UBANK VTB-Online
com.mtbank Мой банк Columbia Bank Investments -
ch.raiffeisen.twint Raiffeisen TWINT PostFinance TWINT
com.csg.creditsuisse.twint Credit Suisse TWINT – mobile payment app PostFinance Mobile
com.csg.cs.dnmb Credit Suisse Direct UBS Access – secure login for digital banking UBS Mobile Banking: E-Banking and mobile pay neon - your account app Raiffeisen E-Banking
com.flowbank.client FlowBank
ch.bankcler.zak Bank Cler Zak MyAXA CH eBanking Mobile SwissBorg: Invest in Crypto
ch.zkb.twint ZKB TWINT
ch.zkb.frankly frankly. Pillar 3a – Private pension BCV Mobile
at.rsg.pfp Mein ELBA-App George Österreich
at.erstebank.securityapp s Identity
com.bawagpsk.bawagpsk BAWAG PSK klar – Mobile Banking App Bank Austria MobileBanking Mein Magenta (AT)
com.bitpanda.bitpanda Bitpanda - Buy Bitcoin in minutes
at.volksbank.volksbankmobile Volksbank hausbanking ING Banking Austria
com.easybank.easybank easybank App
at.oberbank.mbanking Oberbank
de.xcom.flatexat flatex AT
com.cardcomplete.completecontrol complete Control
at.bank99.meine.meine meine99 Online Banking
at.bks.mbanking BKS Bank Österreich
at.racon.mandantvkb VKB CONNECT
com.csiweb.digitalbanking.bk0617 Viking Bank Mobile
com.csiweb.digitalbanking.bk0710 Minnesota National Bank Spar Nord Mobilbank AL-Bank
dk.jyskebank.drb Jyske Bank
dk.landbobanken.drb Ringkjøbing Landbobank og Nordjyske Bank Vestjysk Bank
dk.nordea.mobilebank Nordea Mobile - Denmark
dk.sydbank.drb Sydbanks Mobilbank Privat
com.resurs.rbapp Resurs Bank NY mobilbank DK - Danske Bank The Co-operative Bank (NZ) ANZ goMoney New Zealand ASB Mobile Banking ASB Mobile Banking Kiwibank Mobile Banking Westpac One (NZ) Mobile Banking CommBank NAB Mobile Banking ANZ Australia Westpac Mobile Banking Bendigo Bank ING Australia Banking St.George Mobile Banking Bankwest CoinSpot - Buy & Sell Bitcoin BankSA Mobile Banking Heritage Mobile Banking Bank of Melbourne Mobile Banking CUA Mobile Banking Swyftx Cryptocurrency Exchange - Buy, Sell & Trade Citibank Australia ME Bank NPBS Mobile Banking
com.fusion.beyondbank Beyond Bank Australia
com.bankofqueensland.boq BOQ Mobile
com.adcb.cbgdigi ADCB Hayyak: Start your banking relationship now! CBD DIB MOBILE
com.mashreq.NeoApp Mashreq Neo - Bank easy ADCB
enbd.mobilebanking Emirates NBD
com.fab.personalbanking FAB Mobile ADIB Mobile Banking App
com.rak RAKBANK Digital Banking
com.adib.smartmoney smartbanking by ADIB
com.alhilal.hayyak Ahlan by Al Hilal Bank
com.kubi.kucoin KuCoin: Bitcoin Exchange & Crypto Wallet
com.mbc.anb.keystore ANB Mobile~ Arab National Bank PhonePe: UPI, Recharge, Investment, Insurance
com.rainmanagement.rain Rain: Buy & Sell Bitcoin
com.BanqueMisr.MobileBanking BM Online
com.riyadbank.strategic RiyadBank Mobile Liv. KSA - Digital Banking SNB AlAhli Mobile
com.alrajhiretailapp Al Rajhi Mobile
com.samba.mb SambaMobile
com.sabb.mobilebanking SABBMobile
com.bsffm FransiMobile Alinma Bank SAIB
com.slsp.mtoken SLSP mToken
sk.slsp.georgego George Go Slovensko
sk.tb.ib.tatraandroid Tatra banka
sk.csob.smarttoken CSOB SmartToken
com.zentity.sbank.csobsk SmartBanking VÚB Mobile Banking Čítačka
sk.raiffeisen.ib.androidwrapper Raiffeisen Bank SK
cz.homecredit.hcsk Home Credit SK
com.zentity.pabk Poštová banka SmartBanking SK
sk.mbank mBank SK
sk.primabanka.penazenka Peňaženka
com.firstdirect.bankingonthego first direct
com.revolut.revolut Revolut - Get more from your money
com.outsystemsenterprise.thinkmoneyprod.ThinkMoney thinkmoney
com.vanso.gtbankapp GTBank
com.suntrust.mobilebanking SunTrust Mobile App

Hydra.C Targets

Package Name App Name Netflix
eu.inmite.prj.kb.mobilbank Mobilni Banka
com.bitfinex.mobileapp Bitfinex Gmail CaixaBank BBVA Colombia
com.albarakaapp Albaraka Mobile Banking -
es.bancosantander.apps Santander
pl.ideabank.mobilebanking Idea Bank PL
pl.envelobank.aplikacja EnveloBank Banco Sabadell App. Your mobile bank
com.ambank.ambankonline AmOnline
com.liberty.jaxx Jaxx Liberty: Blockchain Wallet Yahoo Mail – Organized Email INT Poczta
com.bitcoin.mwallet Bitcoin Wallet
com.cleverlance.csas.servis24 SERVIS 24 Mobilni banka
com.getingroup.mobilebanking Getin Mobile
org.electrum.electrum Electrum Bitcoin Wallet
com.magiclick.odeabank Odeabank Akbank Mobilní eKonto Raiffeisenbank
com.db.pwcc.dbmobile Deutsche Bank Mobile
com.avuscapital.trading212 Trading 212 - Stocks, ETFs, Forex, Gold
softax.pekao.powerpay PeoPay Binance - Buy & Sell Bitcoin Securely
com.rsi ruralvía Connect for Hotmail & Outlook: Mail and Calendar -
com.denizbank.mobildeniz MobilDeniz
com.grupoavalav1.bancamovil AV Villas App HSBC Malaysia
eu.eleader.mobilebanking.pekao Pekao24Makler Banca Móvil BCP
com.zoluxiones.officebanking Banco Santander Perú S.A. NBapp Spain
es.evobanco.bancamovil EVO Banco móvil Royal Bank of Scotland Mobile Banking -
com.grupocajamar.wefferent Grupo Cajamar Samsung Email
com.clairmail.fth Fifth Third Mobile Banking
com.hittechsexpertlimited.hitbtc HitBTC – Bitcoin Trading and Crypto Exchange
de.dkb.portalapp DKB-Banking
io.totalcoin.wallet Bitcoin Wallet Totalcoin - Buy and Sell Bitcoin Interbank APP
cz.fio.sb2 Fio Smartbanking CZ
es.caixaontinyent.caixaontinyentapp Caixa Ontinyent VR Banking Classic Bitcoin Wallet - Buy BTC
com.pozitron.iscep İşCep - Mobile Banking Caja de Ingenieros Banca MÓVIL Bank Millennium
es.ibercaja.ibercajaapp Ibercaja Usługi Bankowe
pl.interia.poczta_next Nowa Poczta Interia
com.mobillium.papara Papara
com.uphold.wallet Uphold - Trade, Invest, Send Money For Zero Fees
pl.cinkciarz Currency Exchange Conotoxia
com.nearform.ptsb permanent tsb norisbank App
com.konylabs.cbplpat Citi Handlowy ŞEKER MOBİL ŞUBE
cz.csob.smartbanking.era Smartbanking PS Citi Mobile®
pl.onet.mail Onet Poczta - e-mail app The Co-operative Bank
cz.equabank.mobilebanking Equa bank
com.pttfinans PTTBank
es.univia.unicajamovil UnicajaMovil
com.garanti.cepsubesi Garanti BBVA Mobile Maybank2u MY
es.pibank.customers Pibank Coinbase – Buy & Sell Bitcoin. Crypto Wallet
de.ingdiba.bankingapp ING Banking to go
com.bancodebogota.bancamovil Banco de Bogotá
com.tecnocom.cajalaboral Banca Móvil Laboral Kutxa
com.teb CEPTETEB
eu.netinfo.colpatria.system Scotiabank Colpatria BtcTurk PRO - Bitcoin Al-Sat
com.citibanamex.banamexmobile Citibanamex Móvil CEX.IO Cryptocurrency Exchange
com.plunien.poloniex Poloniex Crypto Exchange
pl.raiffeisen.nfc Mobilny Portfel Openbank – banca móvil Metro Bank
com.tmobtech.halkbank Halkbank Mobil MBNA - Card Services App
pl.wp.wppoczta WP Poczta Moje ING mobile
com.citibank.CitibankMY Citibank MY
pl.pkobp.iko IKO
pl.wp.pocztao2 Poczta o2
com.ingbanktr.ingmobil ING Mobil
com.tdbank TD Bank (US) -
cash.klever.blockchain.wallet Klever Wallet: Buy Bitcoin, Ethereum, Tron, Crypto QNB Finansbank Mobile Banking
com.myetherwallet.mewwallet MEW wallet – Ethereum wallet BNP Paribas GOMobile
com.moneybookers.skrillpayments.neteller NETELLER - fast, secure and global money transfers Halifax: the banking app that gives you extra
cz.mbank mBank CZ
com.grupoavaloc1.bancamovil Banco de Occidente Móvil Fio Smartbroker Bancolombia App Personas HSBC UK Mobile Banking
com.ubercab Uber - Request a ride Bither Electroneum Yapı Kredi Mobile AliExpress - Smarter Shopping, Better Living Tesco Mobile Microsoft Outlook: Organize Your Email & Calendar Amazon Shopping - Search, Find, Ship, and Save
pl.nestbank.nestbank Nest Bank nowy Noble Mobile
com.suntrust.mobilebanking SunTrust Mobile App WiZink, tu banco senZillo Luno: Buy Bitcoin, Ethereum and Cryptocurrency Bank of Scotland Mobile Banking: secure on the go ČSOB CEB Mobile Sparkasse Ihre mobile Filiale
finansbank.enpara Cep Şubesi
eu.eleader.mobilebanking.invest plusbank24
es.bancosantander.empresas Santander Empresas
com.bitpay.wallet BitPay – Secure Bitcoin Wallet OKEx - Bitcoin/Crypto Trading Platform Santander Mobile Banking Mobile BiznesPl@net e-Devlet Kapısı
cz.csas.georgego George Česká spořitelna Lloyds Bank Mobile Banking: by your side
de.commerzbanking.mobil Commerzbank Banking - The app at your side mail Discover Mobile comdirect mobile App
es.santander.Criptocalculadora Criptocalculadora Kutxabank
com.targoes_prod.bad TARGOBANK - Banca a distancia My Air APP Banco Pichincha Perú BBVA Net Cash: ES & PT PayPal Mobile Cash: Send and Request Money Fast Google Play
pl.bzwbk.bzwbk24 Santander mobile BBVA Spain
payumoney.merchantap - ING Business
us.zoom.videomeetings ZOOM Cloud Meetings BBVA Perú  
com.Plus500 Plus500: CFD Online Trading on Forex and Stocks
com.thanksmister.bitcoin.localtrader Local Trader for LocalBitcoins
com.ubercab.eats Uber Eats: Food Delivery
com.bancocajasocial.geolocation Banco Caja Social Móvil
es.caixagalicia.activamovil ABANCA- Banca Móvil
de.postbank.finanzassistent Postbank Finanzassistent
tsb.mobilebanking TSB Bank Mobile Banking
es.liberbank.cajasturapp Banca Digital Liberbank
com.yoox YOOX - Fashion, Design and Art
com.bitmarket.trader Aplikacja Bitmarket Santander Mobile Banking PNC Mobile
pl.bps.bankowoscmobilna BPS Mobilnie
com.btcturk BtcTurk Bitcoin Borsası
com.bankinter.launcher Bankinter Móvil
eu.unicreditgroup.hvbapptan HVB Mobile Banking
pl.sgb.wallet PORTFEL SGB
com.bankia.wallet Bankia Wallet
com.cimbmalaysia CIMB Clicks Malaysia
com.whatsapp WhatsApp Messenger
com.konylabs.HongLeongConnect Hong Leong Connect Mobile Banking Bitstamp – Buy & Sell Bitcoin at Crypto Exchange
pl.aliorbank.aib Alior Mobile
com.facebook.katana Facebook
cz.csob.smartbanking ČSOB Smartbanking VakıfBank Mobil Bankacılık
com.mediolanum Banco Mediolanum España Pro: Advanced Bitcoin & Crypto Trading Ally Mobile Scotiabank Perú
pl.bph BusinessPro Lite Smart Banking Cajasur CA24 Mobile
cz.moneta.smartbanka Smart Banka
es.cecabank.ealia2103appstore UniPay Unicaja HSBC Turkey
com.kuveytturk.mobil Kuveyt Türk eBay: Buy, sell, and save money on home essentials
com.ziraat.ziraatmobil Ziraat Mobile
com.targo_prod.bad TARGOBANK Mobile Banking
com.barclaycardus Barclays US Mobilní banka Business
com.todo1.davivienda.mobileapp Davivienda Móvil Business Smart Banking Fibabanka Mobile Capital One® Mobile
samsung.settings.pass -
www.ingdirect.nativeframe ING España. Banca Móvil Bank of America Mobile Banking
com.nanooqit.economiaemail mail SpardaApp
com.mycelium.wallet Mycelium Bitcoin Wallet Bankia
pl.mbank mBank PL Wells Fargo Mobile
exodusmovement.exodus Exodus: Crypto Bitcoin Wallet CMC: CFD Trading Google Play Games NatWest Mobile Banking
cz.csas.business24 BUSINESS 24 Mobilní banka U by BB&T USAA Mobile Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum
com.breadwallet BRD Bitcoin Wallet. Buy BTC Bitcoin Cash, Ethereum
com.engage.pbb.pbengage2my.release PB engage MY

Demo or trial?