BankBot banking malware found in flashlight and solitaire apps

In a joint research, IT security researchers at Avast, ESET, and SfyLabs have discovered yet another malware on Google Play Store hiding behind utility applications. With a history of infecting apps on Play Store, the malware identified by researchers is BankBot, a banking trojan that keeps coming back and Google just cannot get rid of it whatsoever.


BankBot is a banking malware that was discovered back in 2008 targeting third-party sites, but in 2014 it graduated and successfully made it to the Google Play Store to infect Android apps. Once installed, the malware conducts phishing attacks to show fake versions of banking apps and gain administrative privileges before removing the icon of the app, tricking the user into believing that the app has been deleted.

In reality, however, the app continues to work in the background. Furthermore, the malware spies on SMS sent by the user, collect sensitive information such as credit card numbers, CVC number, its expiration date and user’s home address. It is also able to collect device specs such as a list of installed apps, OS version, IMEI, and phone model and send it to the hacker.

BankBot in utility apps

Previously, BankBot was found in fake Adobe Flash PlayerCryptocurrencies Market Prices app, Banking and Entertainment apps. This time, however, BankBot was caught hiding behind flashlight and solitaire gaming apps targeting customers from 131 banks worldwide including Wells Fargo, DiBa, Chase, and Citibank. 

Flashlight apps infected with BankBot (Credit: Avast)

According to a blog post by Nikolaos Chrysaidos, head of mobile threat intelligence and security at Avast:

“The malicious activities include the installation of a fake user interface that’s laid over the clean banking app when it’s opened by the user. As soon as the user’s bank details are entered, they are collected by the criminal. In some countries, banks use transaction authentication numbers (TANs), a form of two-factor authentication required to conduct online transfers often used by European banks. The authors of BankBot intercept their victims’ text message that includes the mobile TAN, allowing them to carry out bank transfers on the user’s behalf.” 

The full list of targeted banking apps is also available on Avast’s blog post.

Additional malware

Furthermore, researchers found that the infected apps also dropped Mazar malware that was originally found in Play Store two years ago. At that time, researchers concluded that Mazar is so powerful that it can “transform a targeted smartphone into a trash box.”

Mazar can perform a variety of functions on infected devices, for example, gaining boot persistence, which helps it in surviving even after the device restarts, initiate Man-in-the-Middle (MiTM) attacks, spy upon the Internet traffic, send/receive SMS messages and much more.

Play Protect verified infected apps

Google’s Play Protect is responsible for checking apps and devices for harmful behavior, but in this case, the infected solitaire apps did not only get the chance to take a pass but also had “verified by Play Protect” tag on it.

Solitaire apps infected with BankBot (Credit: Avast)

The same happened with “Cryptocurrencies Market Prices” app a few weeks ago when Play Protect failed to identify its malicious activities. By now, it is obvious that Play Protect cannot detect BankBot malware.

Targeted countries

Although all infected apps have been removed by Google, the researchers first found BankBot in Flashlight and solitaire apps on October 13th. By then, it had targeted users around the world including Australia, France, Germany, Portugal, Poland, Philippines, Netherlands, Spain, Turkey, Greece, Russia, Dominican Republic and Singapore.

However, the malware according to researchers is not active in Ukraine, Belarus, and Russia. This could be because its developer is from these three countries or they want to avoid unwanted attention from law enforcement authorities in these countries.

Vulnerable state of Android devices

There was a time when cybercriminals used to target third party software/apps to infect Android users with malware but since Play Store has become their prime target; it is advised that users should avoid downloading unnecessary apps. A couple of days ago, 144 apps on Google Play Store were found infected with Grabos malware.

Therefore, keep your device updates and scan it with a reliable anti-virus software.

Related Posts