#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

banking Trojan | Breaking Cybersecurity News | The Hacker News

Category — banking Trojan
European Bank Customers Targeted in SpyNote Android Trojan Campaign

European Bank Customers Targeted in SpyNote Android Trojan Campaign

Aug 01, 2023 Mobile Security / Malware
Various European customers of different banks are being targeted by an Android banking trojan called  SpyNote  as part of an aggressive campaign detected in June and July 2023. "The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," Italian cybersecurity firm Cleafy  said  in a technical analysis released Monday. SpyNote , also called SpyMax, is similar to other Android banking Trojans in that it requires  Android's accessibility permissions  in order to grant itself other necessary permissions and gather sensitive data from infected devices. What makes the malware strain notable is its dual functions as spyware and perform bank fraud. The attack chains commence with a bogus SMS message urging users to install a banking app by clicking on the accompanying link, redirecting the victim to the legitimate TeamViewer...
Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan

Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan

Aug 01, 2023 Cyber Attack / Malware
Organizations in Italy are the target of a new phishing campaign that leverages a new strain of malware called  WikiLoader  with an ultimate aim to install a banking trojan, stealer, and spyware referred to as  Ursnif  (aka Gozi). "It is a sophisticated downloader with the objective of installing a second malware payload," Proofpoint  said  in a technical report. "The malware uses multiple mechanisms to evade detection and was likely developed as a malware that can be rented out to select cybercriminal threat actors." WikiLoader is so named due to the malware making a request to Wikipedia and checking that the response has the string "The Free." The enterprise security firm said it first detected the malware in the wild on December 27, 2022, in connection with an intrusion set mounted by a threat actor it tracks as  TA544 , which is also known as Bamboo Spider and Zeus Panda. The campaigns are centered around the use of emails containing either M...
The Future of Serverless Security in 2025: From Logs to Runtime Protection

The Future of Serverless Security in 2025: From Logs to Runtime Protection

Nov 28, 2024Cloud Security / Threat Detection
Serverless environments, leveraging services such as AWS Lambda, offer incredible benefits in terms of scalability, efficiency, and reduced operational overhead. However, securing these environments is extremely challenging. The core of current serverless security practices often revolves around two key components: log monitoring and static analysis of code or system configuration. But here is the issue with that: 1. Logs Only Tell Part of the Story Logs can track external-facing activities, but they don't provide visibility into the internal execution of functions. For example, if an attacker injects malicious code into a serverless function that doesn't interact with external resources (e.g., external APIs or databases), traditional log-based tools will not detect this intrusion. The attacker may execute unauthorized processes, manipulate files, or escalate privileges—all without triggering log events. 2. Static Misconfiguration Detection is Incomplete Static tools that check ...
Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland

Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland

Jun 27, 2023 Mobile Security / Malware
A new Android malware campaign has been observed pushing the Anatsa banking trojan to target banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023. "The actors behind Anatsa aim to steal credentials used to authorize customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions," ThreatFabric  said  in an analysis published Monday. The Dutch cybersecurity company said Anatsa-infected Google Play Store  dropper apps  have accrued over 30,000 installations to date, indicating that the official app storefront has become an effective distribution vector for the malware. Anatsa, also known by the name TeaBot and Toddler, first  emerged  in  early 2021 , and has been observed  masquerading  as  seemingly innocuous utility apps  like PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to siphon users...
cyber security

Creating, Managing and Securing Non-Human Identities

websitePermisoCybersecurity / Identity Security
A new class of identities has emerged alongside traditional human users: non-human identities (NHIs). Permiso Security's new eBook details everything you need to know about managing and securing non-human identities, and strategies to unify identity security without compromising agility.
Over 60K Adware Apps Posing as Cracked Versions of Popular Apps Target Android Devices

Over 60K Adware Apps Posing as Cracked Versions of Popular Apps Target Android Devices

Jun 06, 2023 Mobile Security / Malvertising
Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular applications to serve unwanted ads to users as part of a campaign ongoing since October 2022. "The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue," Bitdefender said in a technical report shared with The Hacker News. "However, the threat actors involved can easily switch tactics to redirect users to other types of malware such as banking Trojans to steal credentials and financial information or ransomware." The Romanian cybersecurity company said it has discovered 60,000 unique apps carrying the adware, with a majority of the detections located in the U.S., South Korea, Brazil, Germany, the U.K., France, Kazakhstan, Romania, and Italy. It's worth pointing out that none of the apps are distributed through the official Google Play Store. Instead, users searching for apps like Netflix, PDF viewers, se...
Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts

Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts

Jun 05, 2023 Banking Security / Malware
An unknown cybercrime threat actor has been observed targeting Spanish- and Portuguese-speaking victims to compromise online banking accounts in Mexico, Peru, and Portugal. "This threat actor employs tactics such as LOLBaS (living-off-the-land binaries and scripts), along with CMD-based scripts to carry out its malicious activities," the BlackBerry Research and Intelligence Team  said  in a report published last week. The cybersecurity company attributed the campaign, dubbed Operation CMDStealer , to a Brazilian threat actor based on an analysis of the artifacts. The attack chain primarily leverages social engineering, banking on Portuguese and Spanish emails containing tax- or traffic violation-themed lures to trigger the infections and gain unauthorized access to victims' systems. The emails come fitted with an HTML attachment that contains obfuscated code to fetch the next-stage payload from a remote server in the form of a RAR archive file. The files, which are...
Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN

Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN

May 05, 2023
Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called  drIBAN  since at least 2019. "The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account," Cleafy researchers Federico Valentini and Alessandro Strino  said . The bank accounts, per the Italian cybersecurity firm, are either controlled by the threat actors themselves or their affiliates, who are then tasked with laundering the stolen funds. The use of web injects is a time-tested tactic that makes it possible for malware to inject custom scripts on the client side by means of a man-in-the-browser ( MitB ) attack and intercept traffic to and from the server. The fraudulent transactions are often realized by means of a technique ...
Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps

Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps

Mar 23, 2023 Mobile Security / Banking
An emerging Android banking trojan dubbed  Nexus  has already been adopted by several threat actors to target 450 financial applications and conduct fraud. "Nexus appears to be in its early stages of development," Italian cybersecurity firm Cleafy  said  in a report published this week. "Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception." The trojan, which appeared in various hacking forums at the start of the year, is advertised as a subscription service to its clientele for a monthly fee of $3,000. Details of the malware were  first documented  by Cyble earlier this month. However, there are indications that the malware may have been used in real-world attacks as early as June 2022, at least six months before its official announcement on darknet portals. According to security researcher Rohit Bansal ( @0xrb ) and confi...
Xenomorph Android Banking Trojan Returns with a New and More Powerful Variant

Xenomorph Android Banking Trojan Returns with a New and More Powerful Variant

Mar 10, 2023 Mobile Security / Android
A new variant of the Android banking trojan named Xenomorph has surfaced in the wild, latest findings from ThreatFabric reveal. Named " Xenomorph 3rd generation " by the Hadoken Security Group, the threat actor behind the operation, the updated version comes with new features that allow it to perform financial fraud in a seamless manner. "This new version of the malware adds many new capabilities to an already feature-rich Android banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete  ATS framework ," the Dutch security firm  said  in a report shared with The Hacker News. Xenomorph  first came to light  a year ago in February 2022, when it was found to target 56 European banks through  dropper apps  published on the Google Play Store. In contrast, the latest iteration of the banker – which has a dedicated website advertising its features – is des...
PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions

PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions

Feb 04, 2023 Mobile Security / Malware
A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. "PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS ( Automatic Transfer System ), enabling attackers to automate the insertion of a malicious money transfer over the instant payment platform PIX, adopted by multiple Brazilian banks," researchers Francesco Iubatti and Alessandro Strino  said . It is also the latest addition in a long list of Android banking malware to abuse the operating system's accessibility services API to carry out its nefarious functions, including disabling Google Play Protect, intercepting SMS messages, preventing uninstallation, and serving rogue ads via push notifications. Besides stealing passwords entered ...
Emotet Malware Makes a Comeback with New Evasion Techniques

Emotet Malware Makes a Comeback with New Evasion Techniques

Jan 24, 2023 Cyber Threat / Cyber Crime
The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Emotet, which officially  reemerged  in late 2021 following a coordinated takedown of its infrastructure by authorities earlier that year, has continued to be a persistent threat that's distributed via phishing emails. Attributed to a cybercrime group tracked as  TA542  (aka Gold Crestwood or Mummy Spider), the virus has  evolved  from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities. Two latest additions to Emotet's module arsenal comprise an  SMB spreader  that's designed to facilitate lateral...
Android Users Beware: New Hook Malware with RAT Capabilities Emerges

Android Users Beware: New Hook Malware with RAT Capabilities Emerges

Jan 19, 2023 Mobile Security / Android
The threat actor behind the  BlackRock  and  ERMAC  Android banking trojans has unleashed yet another malware for rent called  Hook  that introduces new capabilities to access files stored in the devices and create a remote interactive session. ThreatFabric, in a  report  shared with The Hacker News, characterized Hook as a novel ERMAC fork that's advertised for sale for $7,000 per month while featuring "all the capabilities of its predecessor." "In addition, it also adds to its arsenal Remote Access Tooling (RAT) capabilities, joining the ranks of families such as  Octo  and  Hydra , which are capable performing a full Device Take Over (DTO), and complete a full fraud chain, from PII exfiltration to transaction, with all the intermediate steps, without the need of additional channels," the Dutch cybersecurity firm said. A majority of the financial apps targeted by the malware are located in the U.S., Spain, Australia, Poland, ...
GodFather Android Banking Trojan Targeting Users of Over 400 Banking and Crypto Apps

GodFather Android Banking Trojan Targeting Users of Over 400 Banking and Crypto Apps

Dec 21, 2022 Mobile Security / Banking Trojan
An Android banking trojan known as  GodFather  is being used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries. This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, Canada, and Canada, among others, Singapore-headquartered Group-IB  said  in a report shared with The Hacker News. The malware, like  many   financial   trojans  targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications. First detected by Group-IB in June 2021 and  publicly disclosed  by ThreatFabric in March 2022, GodFather also packs in native backdoor features that allows it to abuse Android's Accessibility APIs to record videos, log keystrokes, capture screenshots, and harvest SMS and call logs. Group-IB's analysis of the malware has ...
These Dropper Apps On Play Store Targeting Over 200 Banking and Cryptocurrency Wallets

These Dropper Apps On Play Store Targeting Over 200 Banking and Cryptocurrency Wallets

Oct 28, 2022
Five malicious dropper Android apps with over 130,000 cumulative installations have been discovered on the Google Play Store distributing banking trojans like  SharkBot  and  Vultur , which are capable of stealing financial data and performing on-device fraud. "These droppers continue the unstopping evolution of malicious apps sneaking to the official store," Dutch mobile security firm ThreatFabric told The Hacker News in a statement. "This evolution includes following newly introduced policies and masquerading as file managers and overcoming limitations by side-loading the malicious payload through the web browser." Targets of these  droppers  include 231 banking and cryptocurrency wallet apps from financial institutions in Italy, the U.K., Germany, Spain, Poland, Austria, the U.S., Australia, France, and the Netherlands. Dropper apps on official app stores like Google Play have  increasingly   become  a popular and efficient technique to d...
Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan

Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan

Sep 05, 2022
The notorious Android banking trojan known as  SharkBot  has once again made an appearance on the Google Play Store by masquerading as antivirus and cleaner apps. "This new dropper doesn't rely on Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware," NCC Group's Fox-IT  said  in a report. "Instead, this new version asks the victim to install the malware as a fake update for the antivirus to stay protected against threats." The apps in question, Mister Phone Cleaner and Kylhavy Mobile Security, have over 60,000 installations between them and are designed to target users in Spain, Australia, Poland, Germany, the U.S., and Austria - Mister Phone Cleaner (com.mbkristine8.cleanmaster, 50,000+ downloads) Kylhavy Mobile Security (com.kylhavy.antivirus, 10,000+ downloads) The  droppers  are designed to drop a new version of SharkBot,  dubbed V2  by Dutch security firm ThreatFabric, which features an...
New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers

Aug 20, 2022
Organizations in the Spanish-speaking nations of Mexico and Spain are in the crosshairs of a new campaign designed to deliver the  Grandoreiro  banking trojan.  "In this campaign, the threat actors impersonate government officials from the Attorney General's Office of Mexico City and from the Public Ministry in the form of spear-phishing emails in order to lure victims to download and execute 'Grandoreiro,' a prolific banking trojan that has been active since at least 2016, and that specifically targets users in Latin America," Zscaler  said  in a report. The ongoing attacks, which commenced in June 2022, have been observed to target automotive, civil and industrial construction, logistics, and machinery sectors via multiple infection chains in Mexico and chemicals manufacturing industries in Spain. Attack chains entail leveraging spear-phishing emails written in Spanish to trick potential victims into clicking on an embedded link that retrieves a ZIP archi...
SOVA Android Banking Trojan Returns With New Capabilities and Targets

SOVA Android Banking Trojan Returns With New Capabilities and Targets

Aug 15, 2022
The SOVA Android banking trojan is continuing to be actively developed with upgraded capabilities to target no less than 200 mobile applications, including banking apps and crypto exchanges and wallets, up from 90 apps when it started out. That's according to the latest findings from Italian cybersecurity firm Cleafy, which found newer versions of the malware sporting functionality to intercept two-factor authentication (2FA) codes, steal cookies, and expand its targeting to cover Australia, Brazil, China, India, the Philippines, and the U.K. SOVA, meaning Owl in Russian, came to light in  September 2021  when it was observed striking financial and shopping apps from the U.S. and Spain for harvesting credentials through overlay attacks by taking advantage of Android's Accessibility services. In less than a year, the trojan has also acted as a foundation for another Android malware called  MaliBot  that's designed to target online banking and cryptocurrency walle...
Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France

Roaming Mantis Financial Hackers Targeting Android and iPhone Users in France

Jul 25, 2022
The mobile threat campaign tracked as  Roaming Mantis  has been linked to a new wave of compromises directed against French mobile phone users, months after it expanded its targeting to include European countries. No fewer than 70,000 Android devices are said to have been infected as part of the active malware operation, Sekoia said in a report published last week. Attack chains involving  Roaming Mantis , a financially motivated Chinese threat actor, are known to either deploy a piece of banking trojan named MoqHao (aka XLoader) or redirect iPhone users to credential harvesting landing pages that mimic the iCloud login page. "MoqHao (aka Wroba, XLoader for Android) is an Android remote access trojan (RAT) with information-stealing and backdoor capabilities that likely spreads via SMS," Sekoia researchers  said . It all starts with a phishing SMS, a technique known as smishing, enticing users with package delivery-themed messages containing rogue links, that, ...
Expert Insights / Articles Videos
Cybersecurity Resources