Skip to content ↓ | Skip to navigation ↓

One sunny morning, my breakfast was interrupted by a phone call from a friend who is an entrepreneur engaged in the transportation of various goods. He said that $11,000 disappeared from his bank account during the night. The bank support service could not help. They advised my friend to report this incident to the police. The money transfers were made using the mobile application and confirmed via SMS. Everything looked like completely legal financial transactions.

“You work in security,” my friend moaned into the receiver, “please advise what to do.” Unfortunately, it was already too late to do something. Cybercriminals used a banking trojan as a tool to steal money. Rogue software penetrated my friend’s phone long before the incident. You may prevent the loss of money only by studying the principles of work and the methods of dealing with this type of malicious application.

History of Banking Trojans

Malware capable of re-sending incoming SMS messages to attackers, including those containing TAN codes (transaction authentication number), have been circulating for about 15 years. In addition, trojans that knew how to use USSD commands also existed at that time. They could transfer the money from the bank card attached to the phone. But, of course, they were not full-fledged banking trojans since they were noticeably inferior in functionality to their desktop counterparts.

The first full-fledged banking trojans for the Android mobile platform were discovered about ten years ago. The first one was the Android SpyEye banking trojan. This trojan worked in conjunction with the SpyEye malware for Windows. This duo nature allowed attackers to bypass two-factor authentication.

Here is how SpyEye worked. As soon as the user of the infected Windows system opened a banking site in the browser, the malware sitting on the computer performed a web injection, embedding a piece of code into the page. Since the injection was carried out on the client side, the banking site URL in the address bar of the browser was correct and the connection was established using the HTTPS protocol.

At some point, the content of the web page was changed by the malware. The text embedded into the banking site by the trojan stated that due to many new cyber-attacks, the bank needs to urgently change some procedures, and for authorization in the system, it is necessary to install an additional application (about 30 KB only) on a mobile phone by downloading it from the link provided below.

The application, of course, appeared to be the SpyEye mobile banking trojan. The main task of the trojan was to intercept all incoming SMS messages and send them to the server controlled by the cybercriminals.

The weak side of this scheme was the need to synchronize the work of the mobile app and desktop malware components; however, the virus writers managed to solve this problem successfully. For several months, SpyEye sowed panic among users of banking services until it got into the databases of all popular antiviruses, after which its activity gradually decreased.

Banking Trojans Today

After some time, the employees of the IT departments of the banks mastered programming, and online bank applications gradually migrated from desktops to mobile phones in the form of Android applications. This migration made the life of virus writers easier. They no longer needed to spend time on penetrating Windows systems. All efforts then began to concentrate on developing mobile banking trojans. After all, the owner of a smartphone with a banking application on board is a walking wallet.

Like other Android malware, banking trojans spread under the guise of some useful programs. The malicious functionality of such applications, of course, are not advertised by the developers. It manifests itself either after some time or after downloading the next update.

In one of the cases, a banking trojan was distributed in the form of a program that claimed to combine several client apps of several large banks. Why install a bunch of separate applications when you can download only one? (With a trojan inside.) There are also cases when malicious programs were embedded in the genuine applications of some banks earlier modified by cybercriminals. Such applications were distributed from fake bank web pages designed exactly like the real ones, and the victims were invited to them by phishing emails.

Another vector for the spread of mobile banking trojans is a phishing SMS message. There are different ways to use phishing SMS messages. In one case, a user who is registered on one of the free classified ads sites receives an SMS message with an offer to buy his product. The recipient is called by name, which dulls his vigilance. Virus writers previously parsed the user base of this site, pulling out all the useful information from there.

When clicking on the short link from the message, the potential victim is sent to the intermediate page, where it is determined that the user accessed the site from the mobile device running Android. His mobile service provider also gets identified. After that, the user is redirected to the fake page with an MMS message corresponding to the style of the mobile service provider. After clicking on the fake MMS button, the download of the trojan begins.

Some old mobile banking trojans acted very primitively. If the administrator’s rights were necessary for the operation of the malware, it persistently demonstrated a window on the screen with the requirement to provide the necessary rights until the tormented user agreed to this action.

Sometimes virus writers used various tricks to fool a potential victim. For example, as per Dr.Web, the banking Android.BankBot.29 masked the window for requesting administrator privileges using the Google Play message: “Your version is out of date, do you want to use the new version?” When the user tried to click on the “Yes” button, the initial page disappeared, and the tap allowed the device to become device Admin, resulting in the malware gaining administrator privileges.

Another banking Trojan tricked users with a request to turn on the Accessibility Services mode, a series of special features for people with disabilities. Having received necessary permissions, malware could gain admin rights, too.

Once inside, trojans usually hang in the memory of a mobile phone, waiting for the launch of a mobile banking application. When this event occurs, trojan determines which application is running and displays popups on top of the real app the corresponding fake login and password form. The entered data is immediately sent to the attacker’s server.

The mobile banking trojan can contain HTML code of several dozen pages with a different design that copy the application interface of the most popular banks. After that, it remains only to intercept the SMS with a one-time password to get full access to the bank account. Real incoming messages from banks are usually hidden in order not to arouse suspicion of the victim.

If the trojan, for some reason, cannot get direct access to the bank account, it steals bank card details. For this, for example, fake windows for adding the bank card to the Google Play account were used in some cases. Due to anti-fraud systems used by serious websites, it is not easy now to buy anything using stolen card details, but it is quite possible to pay for online toys or music on less popular sites. Such sites rarely bother with a serious check of payment details since transactions are usually very small there. This is what attackers use.


Bankbots form a side branch in the evolution of mobile banking trojans. While ordinary banking trojans work mostly autonomously, bankbots are able to receive various commands and execute them on an infected device.

Commands can be transmitted via HTTP, for example, in JSON format, via SMS, and in some cases even through a special Telegram channel. Bankbots can enable or disable the interception of incoming SMS messages, mute the sound of a mobile phone, send messages to a number specified by attackers (with specified content), or execute USSD commands.

Some bankbots can also download and install APK files on a mobile device. As a result, new trojans that have a wider range of functions may get onto the already infected device. Well, and almost all such malicious programs can send the address book, SMS correspondence and other confidential data to the attacker’s C&C server and also forward incoming calls to the phone number specified by the hacker.

Some bankbots, in addition to everything described above, have the functions of self-defense. They track the names of all processes running on the system and, when an antivirus or another known security tool is detected, the malware attempts to disable that process using its administrator rights. Usually, bankbots use a web admin panel that provides detailed statistics on infected devices and information stolen from them.

Quick Growing

With the quick spread of mobile devices that run Android, the process of creation of trojans for this platform has gradually turned into a real underground industry. There are many ads in the darknet that offer banking trojans for Android for rent with the provision of all admin and technical support to the client. Darknet marketplaces also sell trojan kits and builders, tools which allow anyone, even those without any programming skills, to create a banking trojan masking as a specific bank app or another app.

Due to all that, the number of banking trojans began to grow exponentially. The chances of getting infected have also grown significantly. Most of these malicious programs work with administrator privileges. It is not very easy to remove them. For this, you will have to start the system in safe mode. In the worst case, reset the device to factory settings.

It is already a proven fact that disabling the ability to install applications from third-party sources on the phone does not always protect the user from banking trojans. There are many cases when users downloaded malware from the official Google Play. The technology for checking applications hosted there is still imperfect.

In addition, the Android operating system is famous for its significant number of vulnerabilities that can be used by virus writers. Antivirus software is capable of helping to protect the device from unauthorized malware penetration, but whether or not to install specific apps is a personal matter of each Android user. And as we know, hackers are very good at spreading their malware under the guise of popular or useful apps.

About the Author:david balaban David Balaban is a cybersecurity professional writing for His key competencies include malware analysis, online privacy, and software testing. Additionally, he does his best to stay current with the e-threat landscape and keep tabs on the evolution of computer viruses. With 13 years of experience under his belt, David knows how security works and how important it is to maintain privacy on the Internet.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.