The BankBot Android banking trojan is giving Google engineers headaches, as this particular piece of malware has a knack for avoiding Google’s security scans and reaching the official Play Store on a regular basis.
The story of this banking trojan goes back to January 2017, when the source code of an unnamed Android banking trojan was leaked online on an underground hacking forum.
Shortly after, someone took this source code and created a new banking trojan known as BankBot, which by the end of the month, had already been used to target users of Russian banks.
By next month, February, BankBot’s authors improved the malware’s support with the ability to target the customers of banks in other countries, such as the UK, Austria, Germany, and Turkey.
BankBot has the ability to avoid Google’s security scans
Despite basing BankBot on leaked source code, the malware’s creators improved the codebase and added the ability to disguise the malware enough to trick the Google Bouncer security scanner.
In total, researchers initially detected three different BankBot campaigns that managed to upload Android apps on the official Google Play Store.
Google intervened in each and took down the apps, but it quickly became apparent to researchers that BankBot had Bouncer’s number.
Two more campaigns detected last week
Come April, and these campaigns are still active. While BankBot was first discovered by Russian cyber-security firm Dr.Web, and subsequent campaigns were detected by ESET, Dutch firm Securify has also identified two new BankBot campaigns that have also managed to pass two apps by Bouncer and onto the Play Store.
The first of those apps was one named Funny Videos 2017, and was taken down last week, but not before reaching between 1,000 and 5,000 downloads.
The second app, HappyTimes Videos, was found over the Easter holiday and was just taken down before this article’s publication.
BankBot has grown into a sophisticated threat
According to security experts, both apps were infected with a recent version of the BankBot trojan. As the name hints, BankBot is an Android banking trojan. Just like most Android banking trojans, BankBot works by showing a fake login window on top of the user’s legitimate banking application.
In reality, BankBot can steal login credentials for more than banking applications. Past versions were also able to steal login details for apps such as Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat, IMO, Instagram, Twitter, and the Google Play Store.
Further, BankBot could also lock the user’s device in a ransomware-like behavior, and intercept SMS messages for the ability to bypass two-step verification operations.
Below is a list of 424 legitimate banking apps for which the BankBot versions spotted last week were configured to target.
The codes in this list are usually the codes at the end of the Google Play Store app page. You can access the Google Play Store page for your own mobile banking app, and check to see if that code appears in the list below.
aib.ibank.android
aib.ibank.android.tablet
ar.bapro
ar.bapro.tablet
ar.com.redlink.ciudad
ar.com.santander.rio.mbanking
ar.macro
ar.nbad.emobile.android.mobilebank
at.bawag.mbanking
at.bawag.tablet
at.easybank.mbanking
at.erstebank.george
at.ing.diba.client.onlinebanking
at.oberbank.mbanking
at.psa.app.bawag
at.spardat.netbanking
at.volksbank.volksbankmobile
au.com.amp.myportfolio.android
au.com.bankwest.mobile
au.com.heritage.app
au.com.ingdirect.android
au.com.macquarie.banking
au.com.mebank.banking
au.com.nab.mobile
au.com.nab.mobile.android.nabconnect
au.com.pnbank.android
au.com.suncorp.SuncorpBank
biz.mobinex.android.apps.cep_sifrematik
cedacri.mobile.bank.asti
cedacri.mobile.bank.bppb
cedacri.mobile.bank.desio.brianza
ch.raiffeisen.android
ch.raiffeisen.phototan
co.uk.Nationwide.Mobile
com.AlinmaSoftToken
com.BOQSecure
com.BankAlBilad
com.CredemMobile
com.EurobankEFG
com.IngDirectAndroid
com.QIIB
com.SifrebazCep
com.VBSmartPhoneApp
com.a2a.android.burgan
com.abnamro.grip
com.abnamro.nl.mobile.payments
com.abnamro.nl.mobile.wallet
com.adcb.bank
com.adib.mbs
com.akbank.android.apps.akbank_direkt
com.akbank.android.apps.akbank_direkt_tablet
com.akbank.softotp
com.alahli.mobile.android
com.alinma.smartphone
com.alpha.pass
com.amanalrajhi
com.anz.android.gomoney
com.appfactory.tmb
com.arabbank.arabimobile
com.axabanque.fr
com.axis.cbk
com.bancamarch.bancamovil
com.bancomer.mbanking
com.bancsabadell.wallet
com.bankaustria.android.olb
com.bankia.wallet
com.bankinter.launcher
com.bankinter.portugal.bmb
com.bankofireland.mobilebanking
com.bankofqueensland.boq
com.bankofqueensland.boqtablet
com.barclays.android.barclaysmobilebanking
com.barclays.bca
com.barclays.portugal.ui
com.bawagpsk.securityapp
com.bbva.bbvacontigo
com.bbva.bbvawalletmx
com.bbva.netcash
com.bbva.netcashar
com.bbva.nxt_tablet
com.bendigobank.mobile
com.binckbank.evolution
com.bnpp.easybanking
com.boi.tablet365
com.boubyanapp.boubyan.bank
com.boursorama.android.clients
com.bsffm
com.business_token
com.caisse.epargne.android.tablette
com.caisseepargne.android.mobilebanking
com.cajamar.GCCajamar
com.cajasur.android
com.carrefour.bank
com.cba.android.netbank
com.cba.shiraz
com.cbd.mobile
com.cbq.CBMobile
com.cic_prod.bad
com.cic_prod_tablet.bad
com.citi.regional.argentina
com.citibank.mobile.au
com.citibank.mobile.citiuaePAT
com.cleverlance.csas.servis24
com.cm_prod.bad
com.cm_prod_tablet.bad
com.comarch.mobile
com.comarch.mobile.banking.bnpparibas
com.comarch.security.mobilebanking
com.comdirect.phototan
com.commbank.netbank
com.commerzbank.kontostand
com.commerzbank.photoTAN
com.cs.vasco
com.csg.cs.dnmb
com.db.mm.deutschebank
com.db.mobilebanking
com.db.pbc.miabanca
com.db.pbc.mibanco
com.db.pbc.phototan.db
com.db.tabbanking
com.defencebank.locationapp
com.dib.app
com.ducont.meethaq
com.ducont.muscatbank
com.entersekt.authapp.dkb
com.ezmcom.softtoken.adcb
com.finansbank.mobile.cepsube
com.finanteq.finance.ca
com.firstdirect.bankingonthego
com.fpe.comptenickel
com.fullsix.android.labanquepostale.accountaccess
com.fusion.banking
com.fusion.beyondbank
com.garanti.bonusapp
com.garanti.cepbank
com.garanti.cepsubesi
com.getingroup.mobilebanking
com.gieseckedevrient.android.wallet.rabo
com.google.android.1gm1
com.greater.Greater
com.grppl.android.shell.BOS
com.grppl.android.shell.CMBlloydsTSB73
com.grppl.android.shell.halifax
com.hipotecario.mobile
com.hsbc.hsbcukcmb
com.htsu.hsbcpersonalbanking
com.icbc.mobile.abroadARG
com.icomvision.bsc.mobilebank
com.ideaknow.ing
com.ie.capitalone.uk
com.iflex.fcat.mobile.android
com.imb.banking2
com.ing.diba.mbbr2
com.ing.diba.smartsecure2
com.ing.mobile
com.ing.mobilepayments
com.ingbanktr.cuzdan
com.ingbanktr.ingmobil
com.intertech.mobilemoneytransfer.activity
com.isis_papyrus.raiffeisen_pay_eyewdg
com.kbc.mobilebanking
com.kfh.kfhonline
com.kutxabank.android
com.kutxabank.appatxas
com.kuveytturk.mobil
com.latuabanca_tabperandroid
com.latuabancaperandroid
com.latuabancaperandroid.ispb
com.latuabancaperandroid.pg
com.lcl.application.tablette
com.lloydsbank.businessmobile
com.magiclick.odeabank
com.mbanking.nbb
com.mediaengine.allianzbank
com.mediolanum.android.bst
com.mediolanum.android.fullbanca
com.mediolanum.android.wallet
com.mobileloft.alpha.droid
com.mobilenik.bsf
com.mobilenik.ubika.bna
com.monitise.client.android.clydesdale
com.monitise.client.android.yorkshire
com.monitise.coop
com.mosync.app_Banco_Galicia
com.nbo.ar
com.nbo.mobs
com.ncb.softtoken
com.nearform.ptsb
com.niobiumlabs.eurobank.activity
com.ofss.fcdb.mobile.android.phone.bahl.launcher
com.opentecheng.android.webank
com.paypal.android.p2pmobile
com.paypal.here
com.posteitaliane.postemobilestore
com.pozitron.anb
com.pozitron.ingkurumsal
com.pozitron.iscep
com.pozitron.vakifbank
com.rak
com.rbs.mobile.android.natwest
com.rbs.mobile.android.natwestbandc
com.rbs.mobile.android.rbsbandc
com.rbs.mobile.android.rbsm
com.rbs.mobile.android.ubn
com.rev.mobilebanking.westpac
com.rsi
com.rsi.ruralviatablet
com.s4m
com.sa.baj.aljazirasmart
com.sabb
com.samba.mb
com.scb.ae.bmw
com.scrignosa
com.sella.BancaSella
com.softtech.isbankasi
com.solidpass.main.bsf
com.starfinanz.mobile.android.dkbpushtan
com.starfinanz.mobile.android.pushtan
com.starfinanz.smob.android.sbanking
com.starfinanz.smob.android.sbanking.tablet
com.starfinanz.smob.android.sfinanzstatus
com.starfinanz.smob.android.sfinanzstatus.tablet
com.supervielle.mBanking
com.swmind.vcc.android.bzwbk_mobile.app
com.targo_prod.bad
com.targo_prod_tablet.bad
com.teb
com.tecnocom.cajalaboral
com.tescobank.mobile
com.tmob.denizbank
com.tmobtech.halkbank
com.ubank.internetbanking
com.ubs.swidK2Y.android
com.ubs.swidKXJ.android
com.unicajaTabletas
com.unicredit
com.vakifbank.mobile
com.vipera.ts.starter.FGB
com.vipera.ts.starter.MashreqAE
com.vipera.ts.starter.MashreqQA
com.vipera.ts.starter.QNB
com.ykb.android
com.ykb.android.db
com.ykb.android.mobilonay
com.ykb.androidtablet
com.ykb.avm
com.zentity.ing
com.ziraat.ziraatmobil
coop.bancocredicoop.bancamobile
cz.airbank.android
cz.csas.app.mujstav
cz.csas.business24
cz.csob.smartbanking
cz.csob.smartklic
cz.kb.mba.business
cz.mbank
cz.moneta.smartbanka
cz.rb.app.smartphonebanking
cz.sberbankcz
cz.ulikeit.fio
de.adesso.mobile.android.gadfints
de.comdirect
de.comdirect.android
de.commerzbanking.mobil
de.consorsbank
de.dkb.portalapp
de.dzbank.kartenregie
de.fgi.ms.securesign
de.fgi.ms.vrsecurecard
de.fiducia.smartphone.android.banking.bb
de.fiducia.smartphone.android.banking.psd
de.fiducia.smartphone.android.banking.vr
de.fiducia.smartphone.android.securego.vr
de.ing_diba.kontostand
de.postbank.finanzassistent
de.sdvrz.ihb.mobile.app
de.sdvrz.ihb.mobile.secureapp.netbank.produktion
de.sdvrz.ihb.mobile.secureapp.sparda.produktion
enbd.mobilebanking
enbd.mobilebanking.ksamobile
enbd.mobilebanking.smartbusiness
es.bancopopular.nbmpopular
es.bancopopular.nbmpopulartablet
es.bancosantander.apps
es.bancosantander.empresas
es.bancosantander.wallet
es.bmn.bmnapp2
es.bmn.cajagranadaapp2
es.bmn.cajamurciaapp2
es.bmn.sanostraapp2
es.caixagalicia.activamovil
es.caixageral.caixageralapp
es.ccm.ccmapp
es.cm.android
es.cm.android.tablet
es.connectis.mobile.alrajhi
es.evobanco.bancamovil
es.lacaixa.hceicon2
es.lacaixa.mobile.android.newwapicon
es.liberbank.cajasturapp
es.redsys.walletmb.app.kutxa.pro
es.redsys.walletmb.app.laboralkutxa.pro
es.santander.money
es.univia.unicajamovil
eu.eleader.mobilebanking.abk
eu.eleader.mobilebanking.bre
eu.eleader.mobilebanking.nbk
eu.eleader.mobilebanking.pekao
eu.eleader.mobilebanking.pekao.firm
eu.eleader.mobilebanking.raiffeisen
eu.inmite.prj.kb.mobilbank
finansbank.enpara
fr.banquepopulaire.cyberplus
fr.banquepopulaire.cyberplus.pro
fr.banquepopulaire.cyberplustablet
fr.bred.fr
fr.creditagricole.androidapp
fr.creditagricole.macarteca
fr.lcl.android.customerarea
fr.lcl.android.entreprise
ftb.ibank.android
gr.winbank.mobile
hr.asseco.android.jimba.mUCI.cz
hr.asseco.android.jimba.mUCI.cz.tablet
hr.asseco.android.mtoken.credem.credemprod
hr.asseco.android.mtoken.pekao
it.bcc.iccrea.mycartabcc
it.bnl.androidTablet
it.bnl.apps.banking
it.bpm.bpmandroid
it.bpm.ptbandroid
it.carige
it.cividale.bpconline
it.copergmps.rt.pf.android.sp.bmps
it.copergmps.rt.pf.android.tab.ui.bmps
it.creval.bancaperta
it.elfisystems.ncbc.droid.tablet
it.elfisystems.ncbc.mobile
it.gruppobper.ams.android.bper
it.ingdirect.app
it.nogood.container
it.popso.SCRIGNOapp
it.relaxbanking
it.reply.up.mobile.android
it.secservizi.mobile.atime
it.secservizi.mobile.atime.bpaa
it.secservizi.mobile.atime.bpvi
it.ubi.digitalcode
it.ubiss.mpay
it.volksbank.android
mbanking.NBG
mobi.societegenerale.mobile.lappli
mobi.societegenerale.mobile.lapplipro
mobile.alphabank.myAlphaWallet_android
mobile.santander.de
net.atos.alrajhi.mobilekw
net.bnpparibas.mescomptes
net.inverline.bancosabadell.officelocator.android
nl.asnbank.asnbankieren
nl.rabomobiel
nl.regiobank.regiobankieren
nl.snsbank.snsbankieren
nl.snsbank.snshelp
nz.co.amp.myportfolio.android
nz.co.anz.android.mobilebanking
nz.co.asb.asbmobile
nz.co.asb.mobilebusiness
nz.co.bnz.droidbanking
nz.co.bnz.droidbusinessbanking
nz.co.cooperativebank
nz.co.kiwibank.mobile
nz.co.westpac
org.banelco
org.banelco.ibay
org.banelco.qlms
org.banelco.rbts
org.banelco.sdmr
org.banking.bom.businessconnect
org.banking.bsa.businessconnect
org.banking.stg.businessconnect
org.banksa.bank
org.bom.bank
org.microemu.android.model.common.VTUserApplicationLIN
org.microemu.android.model.common.VTUserApplicationLIN
org.stgeorge.bank
org.westpac.bank
org.westpac.col
pl.aliorbank.kantorwalutowy
pl.bzwbk.bzwbk24
pl.bzwbk.ibiznes24
pl.bzwbk.mobile.tab.bzwbk24
pl.com.suntech.mobileconnect
pl.eurobank
pl.ing.ingmobile
pl.ipko.mobile
pl.mbank
pl.millennium.corpApp
pl.pkobp.iko
posteitaliane.posteapp.appbpol
pt.BancoPopular.android.app
pt.bancobest.android.mobilebanking
pt.bancobpi.mobile.autorizacoesempresas
pt.bancobpi.mobile.fiabilizacao
pt.bes.bestablet
pt.cgd.caixadirecta
pt.cgd.caixadirectaempresas
pt.novobanco.nbapp
pt.santandertotta.mobileparticulares
pt.sibs.android.mbway
riyad.bankingapp.android
rm.beleggen
tr.com.sekerbilisim.mbank
tsb.mobilebanking
uk.co.bankofscotland.businessbank
uk.co.metrobankonline.personal.mobile
uk.co.northernbank.android.tribank
uk.co.santander.businessUK.bb
uk.co.santander.santanderUK
uk.co.tsb.mobilebank
wit.android.bcpBankingApp.activoBank
wit.android.bcpBankingApp.millennium
wit.android.bcpBankingApp.millenniumPL
www.ingdirect.nativeframe
Çom.android.vendin?
Source:https://www.bleepingcomputer.com/
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.