#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

banking Trojan | Breaking Cybersecurity News | The Hacker News

Category — banking Trojan
New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

Nov 05, 2024 Mobile Security / Cyber Attack
Over 1,500 Android devices have been infected by a new strain of Android banking malware called ToxicPanda that allows threat actors to conduct fraudulent banking transactions. "ToxicPanda's main goal is to initiate money transfers from compromised devices via account takeover (ATO) using a well-known technique called on-device fraud ( ODF )," Cleafy researchers Michele Roviello, Alessandro Strino, and Federico Valentini said in a Monday analysis. "It aims to bypass bank countermeasures used to enforce users' identity verification and authentication, combined with behavioral detection techniques applied by banks to identify suspicious money transfers." ToxicPanda is believed to be the work of a Chinese-speaking threat actor, with the malware sharing foundational similarities with another Android malware dubbed TgToxic , which can steal credentials and funds from crypto wallets. TgToxic was documented by Trend Micro in early 2023. A majority of the com...
Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack

Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack

Oct 16, 2024 Cyber Attack / Banking Trojan
A new spear-phishing campaign targeting Brazil has been found delivering a banking malware called Astaroth (aka Guildma) by making use of obfuscated JavaScript to slip past security guardrails. "The spear-phishing campaign's impact has targeted various industries, with manufacturing companies, retail firms, and government agencies being the most affected," Trend Micro said in a new analysis. "The malicious emails often impersonate official tax documents, using the urgency of personal income tax filings to trick users into downloading the malware." The cybersecurity company is tracking the threat activity cluster under the name Water Makara. It's worth pointing out that Google's Threat Analysis Group (TAG) has assigned the moniker PINEAPPLE to a similar intrusion set that delivers the same malware to Brazilian users. Both these campaigns share a point of commonality in that they commence with phishing messages that impersonate official entities su...
7 PAM Best Practices to Secure Hybrid and Multi-Cloud Environments

7 PAM Best Practices to Secure Hybrid and Multi-Cloud Environments

Dec 04, 2024Risk Management / Zero Trust
Are you using the cloud or thinking about transitioning? Undoubtedly, multi-cloud and hybrid environments offer numerous benefits for organizations. However, the cloud's flexibility, scalability, and efficiency come with significant risk — an expanded attack surface. The decentralization that comes with utilizing multi-cloud environments can also lead to limited visibility into user activity and poor access management.  Privileged accounts with access to your critical systems and sensitive data are among the most vulnerable elements in cloud setups. When mismanaged, these accounts open the doors to unauthorized access, potential malicious activity, and data breaches. That's why strong privileged access management (PAM) is indispensable. PAM plays an essential role in addressing the security challenges of complex infrastructures by enforcing strict access controls and managing the life cycle of privileged accounts. By employing PAM in hybrid and cloud environments, you're not...
TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns

TrickMo Banking Trojan Can Now Capture Android PINs and Unlock Patterns

Oct 15, 2024 Mobile Security / Financial Fraud
New variants of an Android banking trojan called TrickMo have been found to harbor previously undocumented features to steal a device's unlock pattern or PIN. "This new addition enables the threat actor to operate on the device even while it is locked," Zimperium security researcher Aazim Yaswant said in an analysis published last week. First spotted in the wild in 2019, TrickMo is so named for its associations with the TrickBot cybercrime group and is capable of granting remote control over infected devices, as well as stealing SMS-based one-time passwords (OTPs) and displaying overlay screens to capture credentials by abusing Android's accessibility services. Last month, Italian cybersecurity company Cleafy disclosed updated versions of the mobile malware with improved mechanisms to evade analysis and grant itself additional permissions to perform various malicious actions on the device, including carrying out unauthorized transactions. Some of the new varia...
cyber security

The AppSec & R&D Playbook: How to Align Security and Innovation

websiteBackslashApplication Security
AppSec vs. R&D? Bridge the gap with clear steps to streamline workflows and foster collaboration.
New Octo2 Android Banking Trojan Emerges with Device Takeover Capabilities

New Octo2 Android Banking Trojan Emerges with Device Takeover Capabilities

Sep 24, 2024 Mobile Security / Cybercrime
Cybersecurity researchers have discovered a new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover ( DTO ) and perform fraudulent transactions. The new version has been codenamed Octo2 by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have been spotted in European countries like Italy, Poland, Moldova, and Hungary. "The malware developers took actions to increase the stability of the remote actions capabilities needed for Device Takeover attacks," the company said . Some of the malicious apps containing Octo2 are listed below - Europe Enterprise (com.xsusb_restore3) Google Chrome (com.havirtual06numberresources) NordVPN (com.handedfastee5) Octo was first flagged by the company in early 2022, describing it as the work of a threat actor who goes by the online aliases Architect and goodluck. It has been assessed...
Chameleon Android Banking Trojan Targets Users Through Fake CRM App

Chameleon Android Banking Trojan Targets Users Through Fake CRM App

Aug 07, 2024 Android / Mobile Security,
Cybersecurity researchers have lifted the lid on a new technique adopted by threat actors behind the Chameleon Android banking trojan targeting users in Canada by masquerading as a Customer Relationship Management (CRM) app. "Chameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating internationally," Dutch security outfit ThreatFabric said in a technical report published Monday. The campaign, spotted in July 2024, targeted customers in Canada and Europe, indicating an expansion of its victimology footprint from Australia, Italy, Poland, and the U.K. The use of CRM-related themes for the malicious dropper apps containing the malware points to the targets being customers in the hospitality sector and Business-to-Consumer (B2C) employees. The dropper artifacts are also designed to bypass Restricted Settings imposed by Google in Android 13 and later in order to prevent sideloaded apps from requesting for dangerous permissions (e.g., acc...
New Android Trojan "BlankBot" Targets Turkish Users' Financial Data

New Android Trojan "BlankBot" Targets Turkish Users' Financial Data

Aug 05, 2024 Mobile Security / Financial Security
Cybersecurity researchers have discovered a new Android banking trojan called BlankBot targeting Turkish users with an aim to steal financial information. "BlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection," Intel 471 said in an analysis published last week. Discovered on July 24, 2024, BlankBot is said to be undergoing active development, with the malware abusing Android's accessibility services permissions to obtain full control over the infected devices. The names of some of the malicious APK files containing BlankBot are listed below - app-release.apk (com.abcdefg.w568b) app-release.apk (com.abcdef.w568b) app-release-signed (14).apk (com.whatsapp.chma14) app.apk (com.whatsapp.chma14p) app.apk (com.whatsapp.w568bp) showcuu.apk (com.whatsapp.w568b) Like the recently resurfaced Mandrake Android trojan, BlankBot implement...
New Android Banking Trojan BingoMod Steals Money, Wipes Devices

New Android Banking Trojan BingoMod Steals Money, Wipes Devices

Aug 01, 2024 Banking Trojan / Cyber Fraud
Cybersecurity researchers have uncovered a new Android remote access trojan (RAT) called BingoMod that not only performs fraudulent money transfers from the compromised devices but also wipes them in an attempt to erase traces of the malware. Italian cybersecurity firm Cleafy, which discovered the RAT towards the end of May 2024, said the malware is under active development. It attributed the Android trojan to a likely Romanian-speaking threat actor owing to the presence of Romanian language comments in the source code associated with early versions. "BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique," researchers Alessandro Strino and Simone Mattia said . It's worth mentioning here that this technique has been observed in other Android banking trojans, such as Medusa (aka...
Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Jul 08, 2024 Malware / Cyber Threat
Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz). That's according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware. Mekotio , known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an aim to steal banking credentials. First documented by ESET in August 2020, it's part of a tetrade of banking trojans targeting the region, such as Guildma, Javali, and Grandoreiro , the latter of which was dismantled by law enforcement earlier this year. "Mekotio shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows, containing backdoor functionality and targeting Spanish- and Portuguese-speaking countries," the Slovakian cybersecurity firm said at the time. The malware operation suffered a blow in ...
New Medusa Android Trojan Targets Banking Users Across 7 Countries

New Medusa Android Trojan Targets Banking Users Across 7 Countries

Jun 26, 2024 Android Security / Threat Intelligence
Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through five different botnets operated by various affiliates, cybersecurity firm Cleafy said in an analysis published last week. The new Medusa samples feature a "lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications," security researchers Simone Mattia and Federico Valentini said. Medusa, also known as TangleBot, is a sophisticated Android malware first discovered in July 2020 targeting financial entities in Turkey. It comes with capabilities to read SMS messages, log keystrokes, capture screenshots, record calls, share the device screen in real-time, and perform unauthorized fund transfers using overlay a...
Singapore Police Extradites Malaysians Linked to Android Malware Fraud

Singapore Police Extradites Malaysians Linked to Android Malware Fraud

Jun 18, 2024 Mobile Security / Financial Fraud
The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023. The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into downloading malicious apps onto their Android devices via phishing campaigns with the aim of stealing their personal data and banking credentials. The stolen information was subsequently used to initiate fraudulent transactions on the victims' banking accounts, resulting in financial losses. Following a seven-months-long investigation that was launched in November 2023 in partnership with the Hong Kong Police Force (HKPF) and the Royal Malaysia Police (RMP), the SPF said it found evidence linking the two men to a syndicate responsible for carrying out malware-enabled scams. "The two men [...] allegedly operated servers for the purposes of infecting victims' Android mobile phones w...
Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

Jun 15, 2024
Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S. "The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is to steal their personal and financial information." The threat actors, believed to be Chinese-speaking , are known to leverage stolen databases sold on the dark web to send bogus SMS messages, enticing recipients into clicking on links under the pretext of informing them of a failed package delivery and urging them to update their address. Users who end up clicking on the URLs are directed to fake websites that prompt them to enter their financial information as part of a supposed service fee charged for redelivery. "Besides Pakistan Post, the group was also ...
Brazilian Banks Targeted by New AllaKore RAT Variant Called AllaSenha

Brazilian Banks Targeted by New AllaKore RAT Variant Called AllaSenha

May 29, 2024 Mobile Security / Banking Trojan
Brazilian banking institutions are the target of a new campaign that distributes a custom variant of the Windows-based AllaKore remote access trojan (RAT) called AllaSenha . The malware is "specifically aimed at stealing credentials that are required to access Brazilian bank accounts, [and] leverages Azure cloud as command-and-control (C2) infrastructure," French cybersecurity company HarfangLab said in a technical analysis. Targets of the campaign include banks such as Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi. The initial access vector, though not definitively confirmed, points towards the use of malicious links in phishing messages. The starting point of the attack is a malicious Windows shortcut (LNK) file that masquerades as a PDF document ("NotaFiscal.pdf.lnk") hosted on a WebDAV server since at least March 2024. There is also evidence to suggest that the threat actors behind the activity previous...
Beware: These Fake Antivirus Sites Spreading Android and Windows Malware

Beware: These Fake Antivirus Sites Spreading Android and Windows Malware

May 24, 2024 Malvertising / Endpoint Security
Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. "Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber attacks," Trellix security researcher Gurumoorthi Ramanathan  said . The list of websites is below - avast-securedownload[.]com, which is used to deliver the  SpyNote trojan  in the form of an Android package file ("Avast.apk") that, once installed, requests for intrusive permissions to read SMS messages and call logs, install and delete apps, take screenshot, track location, and even mine cryptocurrency bitdefender-app[.]com, which is used to deliver a ZIP archive file ("setup-win-x86-x64.exe.zip") that deploys the  Lumma  information stealer malw...
Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail

Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail

May 20, 2024 Malvertising / Cryptocurrency
A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro. "The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks," Recorded Future's Insikt Group  said  in a report. The cybersecurity firm, which is tracking the activity under the moniker GitCaught, said the campaign not only highlights the misuse of authentic internet services to orchestrate cyber attacks, but also the reliance on multiple malware variants targeting Android, macOS, and Windows to increase the success rate. Attack chains entail the use of fake profile...
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

May 19, 2024 Banking Troja / Email Security
The threat actors behind the Windows-based  Grandoreiro  banking trojan have returned in a global campaign since March 2024 following a law enforcement takedown in January. The large-scale phishing attacks, likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model, target over 1,500 banks across the world, spanning more than 60 countries in Central and South America, Africa, Europe, and the Indo-Pacific, IBM X-Force said. While  Grandoreiro  is known primarily for its focus in Latin America, Spain, and Portugal, the expansion is likely a shift in strategy after attempts to  shut down its infrastructure  by Brazilian authorities. Going hand-in-hand with the broader targeting footprint are significant improvements to the malware itself, which indicates active development. "Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Mic...
Android 15 Rolls Out Advanced Features to Protect Users from Scams and Malicious Apps

Android 15 Rolls Out Advanced Features to Protect Users from Scams and Malicious Apps

May 15, 2024 Android Security / Malware
Google is unveiling a set of new features in Android 15 to prevent malicious apps installed on the device from capturing sensitive data. This constitutes an update to the  Play Integrity API  that third-party app developers can take advantage of to secure their applications against malware. "Developers can check if there are other apps running that could be capturing the screen, creating overlays, or controlling the device," Dave Kleidermacher, vice president of engineering for Android security and privacy,  said . "This is helpful for apps that want to hide sensitive information from other apps and protect users from scams." Additionally, the Play Integrity API can be used to check if  Google Play Protect  is active and if the user's device is free of known malware before performing sensitive actions or handling sensitive data. Google, with Android 13, introduced a feature called  restricted settings  that by default blocks sideloaded apps from...
Expert Insights / Articles Videos
Cybersecurity Resources