Skip to content

New campaigns spread banking malware through Google Play

01 November 2017

This year we have seen many different malware campaigns trying to infect users with malicious apps found in the Google Play store. Even though these apps are often removed within days after being reported to Google, they still manage to infect thousands of users. Google scans all apps that are submitted to the Play Store to try and block malicious applications, but the latest campaigns we have seen use techniques such as legitimate applications containing malicious behaviour on a long timer (in this case 2 hours), to circumvent automated detection solutions.


Because our friends Nikolaos Chrysaidos (Avast) and Lukas Stefanko (Eset) also ran into these droppers, we decided to share our knowledge and make this writeup together. You can find their blogs here and here.


In October and November we ran into two new campaigns using droppers in the Play Store through our own detection solution CSD and the Avast mobile detection solution. The first campaign seems to drop the BankBot banking malware. The second campaign drops different kinds of malware, such as the same BankBot banker as the first campaign, but also Mazar and Red Alert. This second campaign has recently been described by Lukas and we will therefore not go into it here, except for adding some additional IOC’s we found related to this campaign at the end of this blog.


BankBot dropper on Google Play (


BankBot dropper detected by Client Side Detection

The droppers in the BankBot campaign have a slightly different MO compared to the ones we found in August. The previous droppers were far more sophisticated using techniques such as performing clicks in the background through use of an Accessibility Service to enable the installation from unknown sources. This new dropper does not have such trickery and relies on the user having unknown sources already enabled. If this is not the case, the dropper will fail to install the BankBot malware resulting in no threat to the user. If unknown sources is enabled however, the user will be prompted to install the BankBot malware. This malware seems to be pretty much the same as the kind Trend Micro blogged about in September.

Interestingly enough, even though the Tornado FlashLight dropper ( has been removed from Google Play, it is not detected by Play Protect. The same goes for the malware that is dropped by the dropper (


Installed apps list


No detections by Play Protect

Detailed analysis

When the dropper is first started, it will check the installed applications against a hardcoded list of 160 apps. We’ve only been able to identify 140 of them, since the package names are hashed. The list of targeted packages has remained the same since the campaign described by Trend Micro. If one or more of the targeted apps are installed when the dropper app is closed, it will start the service with dropper functionality.


Code sample: only start dropper functionality when target is available

The dropper will run the same check on device boot and if it succeeds will also start the service. The service will first request the user for device administrator permissions and after obtaining those will continue to the download routine. The BankBot APK, which is the same for all dropper samples, is downloaded from hxxp:// The download is only triggered two hours after device admin has been granted to the dropper.


Code sample: get device admin and download malware after 2 hours

Once the download is completed the dropper will try to install the APK using the standard Android mechanism to install applications from outside the Google Play store. Besides requiring unknown sources to be already enabled, this install method requires the user to press a button to continue the installation.


Code sample: malware installation routine


Unknown sources disabled: install is blocked


Unknown sources enabled: user has to acknowledge the install

After installation, the dropped malware will be started by the dropper. This malware targets the listed banking apps with overlays trying to steal user credentials to perform fraud. Further details on the dropped malware can be found in the Trend Micro blog.

How to prevent infection?

As a user it can be difficult to figure out whether an app is malicious. First off it is always good to only install applications from the Google Play Store, since most malware is still spread through alternative stores. Second, unless you know exactly what you are doing, do not enable ‘unknown sources’. If you are asked to do this by an app or some party you do not know personally, it is most likely malware related. But what if you want to install an app from the Play Store? For the average user it could be a good idea to use an antivirus app to catch the already known malware that has not yet been blocked by Google. It seems the antivirus vendors are usually faster in detecting malware than Google is.

Besides installing an AV app you can check some things yourself to decrease your infection chances: First make sure the app has many users and good reviews. Most malware will not have been in the store for a very long time (years) and will not have millions of users. Then, after you install the app, take note of several things: Most malware will ask to become device administrator to prevent being removed at a later time or possibly lock or wipe your device. Do not give this permission! Some other malware will ask for accessibility service permission, which enables it to simulate user interaction with the device, basically taking over the whole thing. A third indicator is the app icon disappearing from your app drawer after the first time you start the app. The malware does this to hide itself. If this happens to you, it’s probably best to backup your data and do a factory reset to make sure the malware is gone.



Tornado FlashLight Package name: SHA-256: 89f537cb4495a50b082758b34e54bd1024463176d7d2f4a445cf859f5a33e38f


phxuw Package name: com.sysdriver.andr SHA-256: d93e03c833bac1a29f49fa5c3060a04298e7811e4fb0994afc05a25c24a3e6dc

faczyfut Package name: com.sysmonitor.service SHA-256: 3a3c5328347fa52383406b6d6ca31337442659ae8fafdff0972703cb49d97ac2

Lamp For DarkNess Package name: com.wifimodule.sys SHA-256: 138e3199d53dbbaa01db40742153775d54934433e999b9c7fcfa2fea2474ce8d


zqmfsx Package name: com.seafl.andr SHA-256: c1720011300d8851bc30589063425799e4cce9bb972b3b32b6e30c21ce72b9b6

Discounter Package name: com.sarniaps.deew SHA-256: bb932ca35651624fba2820d657bb10556aba66f15c053142a5645aa8fc31bbd0

Dropped malware

ynlfhgq Package name: SHA-256: 9a2149648d9f56e999bd5af599d041f00c3130fca282ec47430a3aa575a73dcd


All apps communicate with

IOC (campaign #2)


XDC Cleaner Package name: com.sdssssd.rambooster SHA-256: cc32d14cea8c9ff13e95d2a83135ae4b7f4b0bd84388c718d324d559180218fd


Spider Solitaire Package name: com.jkclassic.solitaire12334 SHA-256: b6f5a294d4b0bee029c2840c3354ed814d0d751d00c9c3d48603ce1f22dae8b3


Classic Solitaire Package name: com.urbanodevelop.solitaire SHA-256: b98d3f4950d07f62f22b4c933416a007298f9f38bebb897be0e31e4399eb39c3


Solitaire Package name: com.jduvendc.solitaire SHA-256: 0c930521f15e7c0766cd251ef67ea1ea7a23cfded206e1b0cde8995b403bc840


Dropped malware

xcuah Package name: SHA-256: 129e8d59f2e3a6f0ac4c98bfd12f9fb5d38176164ff5cf715e7e082ab33fffb6

Adobe Update Package name: com.hqzel.zgnlpufg SHA-256: 3f71c21975d51e920f47f6ec6d183c1c4c875fac93ce4eacc5921ba4f01e39d3


All droppers communicate with The different vhosts used are: - - - The two malware samples communicate with and

Targeted apps at.bawag.mbanking at.spardat.bcrmobile at.spardat.netbanking com.EurobankEFG com.adib.mbs com.advantage.RaiffeisenBank com.bankofqueensland.boq com.cajamar.Cajamar com.clairmail.fth com.cm_prod.bad com.csg.cs.dnmb com.garanti.cepsubesi com.getingroup.mobilebanking com.htsu.hsbcpersonalbanking com.imb.banking2 com.isis_papyrus.raiffeisen_pay_eyewdg com.mobileloft.alpha.droid com.moneybookers.skrillpayments com.moneybookers.skrillpayments.neteller com.pozitron.iscep com.rak com.rsi com.suntrust.mobilebanking com.targo_prod.bad com.tmobtech.halkbank com.unicredit com.usbank.mobilebanking com.vipera.ts.starter.FGB com.vipera.ts.starter.MashreqAE com.ziraat.ziraatmobil cz.csob.smartbanking cz.sberbankcz de.commerzbanking.mobil de.direkt1822.banking de.dkb.portalapp de.postbank.finanzassistent enbd.mobilebanking es.bancosantander.apps es.ibercaja.ibercajaapp es.univia.unicajamovil eu.eleader.mobilebanking.pekao eu.eleader.mobilebanking.pekao.firm eu.inmite.prj.kb.mobilbank eu.unicreditgroup.hvbapptan fr.banquepopulaire.cyberplus fr.creditagricole.androidapp fr.laposte.lapostemobile mbanking.NBG pl.bzwbk.bzwbk24 pl.bzwbk.ibiznes24 pl.mbank pt.cgd.caixadirecta pt.novobanco.nbapp www.ingdirect.nativeframe

Demo or trial?