Security Experts:

Connect with us

Hi, what are you looking for?



Source Code for BankBot Android Trojan Leaks Online

The source code of Android banking Trojan BankBot, along with instructions on how to use it, recently emerged on a hacker forum, Doctor Web security researchers have discovered.

The source code of Android banking Trojan BankBot, along with instructions on how to use it, recently emerged on a hacker forum, Doctor Web security researchers have discovered.

The source code was published about a month ago, but Android malware based on the code was spotted last week. Once the malware gets admin privileges on an infected device, it removes its shortcut from the homescreen to hide itself and hinder removal. Next, it connects to a command and control (C&C) server to retrieve instructions.

The BankBot Trojan is distributed masquerading as benign applications. On the infected devices, it can request administrative privileges to display phishing pages to steal login credentials, intercept and send SMS messages, send USSD requests, retrieve contacts list, track the device, make calls, and receive an executable file containing a list of banking apps to attack.

Malicious programs that provide such capabilities are usually being sold as commercial products on underground forums. However, with the source code of this application leaked online, chances are that the number of attacks involving Android banking Trojans will register a significant increase soon, Dr.Web suggests.

The malware can track the launch of banking applications on the user’s device and overlay phishing dialogues to trick users into revealing their login information. The malware is targeting over three dozen such financial applications, including banking and payment system software.

The security researchers have discovered that the malware can also steal bank card information. For that, the Trojan tracks the launch of multiple popular applications on the device, including Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, and Play Store, to display a phishing dialog on top of them, tricking users into believing it is a Google Play purchase page.

“Information on found matches is sent to the C&C server. The Trojan receives a list of files to be monitored from execution. After one of them is launched, Android.BankBot.149.origin displays WebView on top of the attacked application with a fraudulent authentication form to access the user account. Then the entered information is sent to the server,” Dr.Web says.

BankBot was also designed to steal SMS messages. When an SMS arrives, the malware turns off sounds and vibrations and sends the content of the message to the cybercriminals, while also attempting to delete the original entry from the list of incoming SMS. This would result in users missing bank notifications about unplanned transactions that cybercriminals are performing.

Data stolen from the device, which includes information on the anti-virus applications installed on the infected device, is uploaded to the C&C server, making it accessible to the cybercriminals. What’s more, the security researchers say, an administration panel provides operators with control over the malicious app.

“In general, the possibilities of this Trojan are quite standard for modern Android bankers. However, as cybercriminals created it with publicly available information, one can anticipate that many Trojans similar to it will appear,” Doctor Web’s security researchers conclude.

“Dumping malware code is great way to allow others to contribute to the code and modify it to help evade detection. This tactic was very successful for distributing Zeus. When you have a larger group modifying the code, the number of variants increases rapidly, making it very hard for security products that rely on pattern matching to detect it,” Lamar Bailey, Senior Director of Security R&D for Tripwire, told SecurityWeek in an emailed comment.

Related: Fake Super Mario Run for Android Installs Malware

Related: “Gooligan” Android Malware Steals Authentication Tokens to Hack Accounts

Related: European Banks Targeted by “SmsSecurity” Android Trojan

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...