Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Upgraded Android Banking Trojan Targets Users in 200 Countries

An Android banking Trojan discovered two years ago has become a global threat in the past months, after being updated with new ransomware capabilities, Doctor Web security researchers warn.

An Android banking Trojan discovered two years ago has become a global threat in the past months, after being updated with new ransomware capabilities, Doctor Web security researchers warn.

Dubbed Android.SmsSpy.88.origin, the malware was initially discovered in 2014, when it was mainly targeting users in Russia and CIS countries and was spreading via spam SMS messages containing an URL that redirected users to scam websites. Although old, the Trojan recently gained popularity, courtesy of its various functions and because it is offers as a service on underground forums.

Android Malware

Originally, the Trojan was designed to intercept SMS messages containing one-use bank passwords, to covertly send text messages, and to make phone calls, Doctor Web researchers reveal. Eventually, the malware’s authors updated it with credit card information stealing capabilities, an operation performed through overlaying a fraudulent input form on top of Google Play or online banking applications developed by several well-known Russian banks.

Starting toward the end of 2015, researchers observed a more sophisticated version of the program, one that was targeting users around the world. Doctor Web researchers claim to have stumbled upon more than 50 botnets consisting of mobile devices infected with different versions of Android.SmsSpy.88.origin.

Overall, the Trojan managed to infect over 40,000 devices in more than 200 countries, researchers say. However, as was seen before, the malware masquerades as benign programs such as Flash Player and, once launched, requests administrator privileges.

Once established on an infected device, the Trojan maintains an active connection with the command and control (C&C) center, while continuing to perform its main nefarious activity, namely credential theft. The stolen information is immediately sent to the server, providing the attacker with full control over the victim’s bank account.

The malicious program targets around 100 banking applications by using WebView to display a phishing window on top of the legitimate app. The Trojan’s functionality is similar to that of Android/Spy.Agent.SI, an Android banking Trojan observed in early march to target users of numerous banks in Australia, New Zealand and Turkey.

The Trojan’s configuration file can be updated remotely, meaning that its operators can attack virtually the client of any bank in the world, researchers say. The mobile threat also tries to get user’s bank card information through a fake Google Play payment phishing page, can intercept and send SMS and MMS messages, send USSD requests, transmit all saved messages to the server, set a password to the lock screen, and lock the home screen by using a specially-formed dialog.

When locking the device’s screen, the Trojan displays a fake dialog informing the victim that the device was locked because of illegally stored and distributed pornography. It also claims that the victim can unlock the device by paying a ransom in the form of an iTunes Gift Card.

Most of the devices infected with Android.SmsSpy.88.origin were running Android 4.4, namely 35.71 percent of them, researchers say. However, Android 5.1 products (14.46 percent), Android 5.0 (14.10 percent), Android 4.2 (13.00 percent), and Android 4.1 (9.88 percent) were also affected.

“Users in the following countries suffered most of all: Turkey (18,29%), India (8,81%), Spain (6,90%), Australia (6,87%), Germany (5,77%), France (3,34%), the USA (2,95%), the Philippines (2,70%), Indonesia (2,22%), Italy (1,99%), South Africa (1,59%), Great Britain (1,53%), Pakistan (1,51%), Poland (1,1%), Iran (0,98%), Saudi Arabia (0,96%), China (0,92%), and Bangladesh (0,85%),” Doctor Web says.

Researchers also say that the Trojan is enjoying such a wide distribution because its creators advertise it on different underground forums, while also selling it as a commercial product. In addition to the Trojan itself, the operators also provide their customers with the server part, as well as with an administration panel to manage infected devices, it seems.

Since the beginning of this year, we’ve seen a flurry of Android Trojans targeting users worldwide, including SlemBunk, Xbot, or Spy.Agent. Additionally, we’ve seen Triada, considered the most advanced mobile malware to date, along with Asacub and a new Banker Trojan, both threats aimed mainly at users in Russia.

Related: Banking Trojan Infections Plummeted 73% in 2015

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...