My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Banking Trojan discovered in hacked Android games

May 26, 2016

Doctor Web security researchers regularly register cases of Android mobile devices being infected with banking Trojans. To make malicious applications spread faster, virus makers usually masquerade them as benign programs. Android.BankBot.104.origin is not an exception because cybercriminals distribute this malware under the guise of a hack tool for mobile games and as a game cheating program.

This time, attackers focused their attention on those who prefer to play hacked games, which makes a gameplay easier and faster. To successfully distribute the Trojan, virus makers monitor whether the potential victim surfs the Web in order to find cheat codes for the game to simplify its walkthrough (for example, infinite gold, crystals, and so on) or they would like to download a hacked version of the favorite game. Thus, among the search results, the user sees links that lead to various fraudulent websites specially designed to trick naive gamers.

screen Android.BankBot.104.origin #drweb screen Android.BankBot.104.origin #drweb

These websites can inform users about more than 1,000 different mobile games—thus, the search engine displays fraudulent links on top of the search results. It is noteworthy that all these resources have valid digital signatures, which makes them seem quite legitimate.

When the user tries to download a game from this site, they are redirected to another scam webpage that is used to spread Android.BankBot.104.origin under the guise of a hacked game or a game cheating software. In addition to this banking Trojan, the webpage can distribute other threats belonging to the Android.ZBot family.

screen Android.BankBot.104.origin #drweb

Android.BankBot.104.origin is protected with a special packer that complicates an anti-virus detection of the Trojan and its analysis. One of its last modifications was named Android.BankBot.72; yet, given that attackers always create new repacked versions of the Trojan, this malware can be detected under different names. Android.BankBot.104.origin is an obfuscated version of Android.BankBot.80.origin, which means that its code is securely encrypted.

screen Android.BankBot.104.origin #drweb

Android.BankBot.104.origin is installed on a mobile device as an application named “HACK”. Once launched, the Trojan tries to get administrator privileges and then removes its shortcut from the home screen.

screen Android.BankBot.104.origin #drweb screen Android.BankBot.104.origin #drweb

After that, the Trojan determines whether there is an online banking application installed on the device, and how much funds are available on the user’s bank accounts. To do that, Android.BankBot.104.origin sends special SMS commands to banking systems numbers. If successful, the Trojan attempts to covertly transfer money from the victim’s bank accounts to cybercriminals’.

Moreover, attackers control the Trojan from the remote server. Thus, this malware can enable forwarding to the specified number, hide and intercept SMS messages, send text messages and USSD requests, and perform other malicious actions.

Doctor Web specialists strongly recommend to avoid visiting such-like dubious resources and downloading hacked mobile games and applications if you do not want to lose all the money from your bank accounts. Dr.Web for Android successfully detects all the known modifications of this Trojan, and, therefore, this malicious program poses no threat to our users.

More about this Trojan

Protect your Android device with Dr.Web now

Buy online Buy on Google Play Free download

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments