#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

banking Trojan | Breaking Cybersecurity News | The Hacker News

Category — banking Trojan
New Octo2 Android Banking Trojan Emerges with Device Takeover Capabilities

New Octo2 Android Banking Trojan Emerges with Device Takeover Capabilities

Sep 24, 2024 Mobile Security / Cybercrime
Cybersecurity researchers have discovered a new version of an Android banking trojan called Octo that comes with improved capabilities to conduct device takeover ( DTO ) and perform fraudulent transactions. The new version has been codenamed Octo2 by the malware author, Dutch security firm ThreatFabric said in a report shared with The Hacker News, adding campaigns distributing the malware have been spotted in European countries like Italy, Poland, Moldova, and Hungary. "The malware developers took actions to increase the stability of the remote actions capabilities needed for Device Takeover attacks," the company said . Some of the malicious apps containing Octo2 are listed below - Europe Enterprise (com.xsusb_restore3) Google Chrome (com.havirtual06numberresources) NordVPN (com.handedfastee5) Octo was first flagged by the company in early 2022, describing it as the work of a threat actor who goes by the online aliases Architect and goodluck. It has been assessed
Chameleon Android Banking Trojan Targets Users Through Fake CRM App

Chameleon Android Banking Trojan Targets Users Through Fake CRM App

Aug 07, 2024 Android / Mobile Security,
Cybersecurity researchers have lifted the lid on a new technique adopted by threat actors behind the Chameleon Android banking trojan targeting users in Canada by masquerading as a Customer Relationship Management (CRM) app. "Chameleon was seen masquerading as a CRM app, targeting a Canadian restaurant chain operating internationally," Dutch security outfit ThreatFabric said in a technical report published Monday. The campaign, spotted in July 2024, targeted customers in Canada and Europe, indicating an expansion of its victimology footprint from Australia, Italy, Poland, and the U.K. The use of CRM-related themes for the malicious dropper apps containing the malware points to the targets being customers in the hospitality sector and Business-to-Consumer (B2C) employees. The dropper artifacts are also designed to bypass Restricted Settings imposed by Google in Android 13 and later in order to prevent sideloaded apps from requesting for dangerous permissions (e.g., acc
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
New Android Trojan "BlankBot" Targets Turkish Users' Financial Data

New Android Trojan "BlankBot" Targets Turkish Users' Financial Data

Aug 05, 2024 Mobile Security / Financial Security
Cybersecurity researchers have discovered a new Android banking trojan called BlankBot targeting Turkish users with an aim to steal financial information. "BlankBot features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection," Intel 471 said in an analysis published last week. Discovered on July 24, 2024, BlankBot is said to be undergoing active development, with the malware abusing Android's accessibility services permissions to obtain full control over the infected devices. The names of some of the malicious APK files containing BlankBot are listed below - app-release.apk (com.abcdefg.w568b) app-release.apk (com.abcdef.w568b) app-release-signed (14).apk (com.whatsapp.chma14) app.apk (com.whatsapp.chma14p) app.apk (com.whatsapp.w568bp) showcuu.apk (com.whatsapp.w568b) Like the recently resurfaced Mandrake Android trojan, BlankBot implement
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
New Android Banking Trojan BingoMod Steals Money, Wipes Devices

New Android Banking Trojan BingoMod Steals Money, Wipes Devices

Aug 01, 2024 Banking Trojan / Cyber Fraud
Cybersecurity researchers have uncovered a new Android remote access trojan (RAT) called BingoMod that not only performs fraudulent money transfers from the compromised devices but also wipes them in an attempt to erase traces of the malware. Italian cybersecurity firm Cleafy, which discovered the RAT towards the end of May 2024, said the malware is under active development. It attributed the Android trojan to a likely Romanian-speaking threat actor owing to the presence of Romanian language comments in the source code associated with early versions. "BingoMod belongs to the modern RAT generation of mobile malware, as its remote access capabilities allow threat actors (TAs) to conduct Account Takeover (ATO) directly from the infected device, thus exploiting the on-device fraud (ODF) technique," researchers Alessandro Strino and Simone Mattia said . It's worth mentioning here that this technique has been observed in other Android banking trojans, such as Medusa (aka
Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Experts Warn of Mekotio Banking Trojan Targeting Latin American Countries

Jul 08, 2024 Malware / Cyber Threat
Financial institutions in Latin America are being threatened by a banking trojan called Mekotio (aka Melcoz). That's according to findings from Trend Micro, which said it recently observed a surge in cyber attacks distributing the Windows malware. Mekotio , known to be actively put to use since 2015, is known to target Latin American countries like Brazil, Chile, Mexico, Spain, Peru, and Portugal with an aim to steal banking credentials. First documented by ESET in August 2020, it's part of a tetrade of banking trojans targeting the region, such as Guildma, Javali, and Grandoreiro , the latter of which was dismantled by law enforcement earlier this year. "Mekotio shares common characteristics for this type of malware, such as being written in Delphi, using fake pop-up windows, containing backdoor functionality and targeting Spanish- and Portuguese-speaking countries," the Slovakian cybersecurity firm said at the time. The malware operation suffered a blow in
New Medusa Android Trojan Targets Banking Users Across 7 Countries

New Medusa Android Trojan Targets Banking Users Across 7 Countries

Jun 26, 2024 Android Security / Threat Intelligence
Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through five different botnets operated by various affiliates, cybersecurity firm Cleafy said in an analysis published last week. The new Medusa samples feature a "lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications," security researchers Simone Mattia and Federico Valentini said. Medusa, also known as TangleBot, is a sophisticated Android malware first discovered in July 2020 targeting financial entities in Turkey. It comes with capabilities to read SMS messages, log keystrokes, capture screenshots, record calls, share the device screen in real-time, and perform unauthorized fund transfers using overlay a
Singapore Police Extradites Malaysians Linked to Android Malware Fraud

Singapore Police Extradites Malaysians Linked to Android Malware Fraud

Jun 18, 2024 Mobile Security / Financial Fraud
The Singapore Police Force (SPF) has announced the extradition of two men from Malaysia for their alleged involvement in a mobile malware campaign targeting citizens in the country since June 2023. The unnamed individuals, aged 26 and 47, engaged in scams that tricked unsuspecting users into downloading malicious apps onto their Android devices via phishing campaigns with the aim of stealing their personal data and banking credentials. The stolen information was subsequently used to initiate fraudulent transactions on the victims' banking accounts, resulting in financial losses. Following a seven-months-long investigation that was launched in November 2023 in partnership with the Hong Kong Police Force (HKPF) and the Royal Malaysia Police (RMP), the SPF said it found evidence linking the two men to a syndicate responsible for carrying out malware-enabled scams. "The two men [...] allegedly operated servers for the purposes of infecting victims' Android mobile phones w
Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

Grandoreiro Banking Trojan Hits Brazil as Smishing Scams Surge in Pakistan

Jun 15, 2024
Pakistan has become the latest target of a threat actor called the Smishing Triad, marking the first expansion of its footprint beyond the E.U., Saudi Arabia, the U.A.E., and the U.S. "The group's latest tactic involves sending malicious messages on behalf of Pakistan Post to customers of mobile carriers via iMessage and SMS," Resecurity said in a report published earlier this week. "The goal is to steal their personal and financial information." The threat actors, believed to be Chinese-speaking , are known to leverage stolen databases sold on the dark web to send bogus SMS messages, enticing recipients into clicking on links under the pretext of informing them of a failed package delivery and urging them to update their address. Users who end up clicking on the URLs are directed to fake websites that prompt them to enter their financial information as part of a supposed service fee charged for redelivery. "Besides Pakistan Post, the group was also
Brazilian Banks Targeted by New AllaKore RAT Variant Called AllaSenha

Brazilian Banks Targeted by New AllaKore RAT Variant Called AllaSenha

May 29, 2024 Mobile Security / Banking Trojan
Brazilian banking institutions are the target of a new campaign that distributes a custom variant of the Windows-based AllaKore remote access trojan (RAT) called AllaSenha . The malware is "specifically aimed at stealing credentials that are required to access Brazilian bank accounts, [and] leverages Azure cloud as command-and-control (C2) infrastructure," French cybersecurity company HarfangLab said in a technical analysis. Targets of the campaign include banks such as Banco do Brasil, Bradesco, Banco Safra, Caixa Econômica Federal, Itaú Unibanco, Sicoob, and Sicredi. The initial access vector, though not definitively confirmed, points towards the use of malicious links in phishing messages. The starting point of the attack is a malicious Windows shortcut (LNK) file that masquerades as a PDF document ("NotaFiscal.pdf.lnk") hosted on a WebDAV server since at least March 2024. There is also evidence to suggest that the threat actors behind the activity previous
Beware: These Fake Antivirus Sites Spreading Android and Windows Malware

Beware: These Fake Antivirus Sites Spreading Android and Windows Malware

May 24, 2024 Malvertising / Endpoint Security
Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. "Hosting malicious software through sites which look legitimate is predatory to general consumers, especially those who look to protect their devices from cyber attacks," Trellix security researcher Gurumoorthi Ramanathan  said . The list of websites is below - avast-securedownload[.]com, which is used to deliver the  SpyNote trojan  in the form of an Android package file ("Avast.apk") that, once installed, requests for intrusive permissions to read SMS messages and call logs, install and delete apps, take screenshot, track location, and even mine cryptocurrency bitdefender-app[.]com, which is used to deliver a ZIP archive file ("setup-win-x86-x64.exe.zip") that deploys the  Lumma  information stealer malw
Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail

Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail

May 20, 2024 Malvertising / Cryptocurrency
A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible software like 1Password, Bartender 5, and Pixelmator Pro. "The presence of multiple malware variants suggests a broad cross-platform targeting strategy, while the overlapping C2 infrastructure points to a centralized command setup — possibly increasing the efficiency of the attacks," Recorded Future's Insikt Group  said  in a report. The cybersecurity firm, which is tracking the activity under the moniker GitCaught, said the campaign not only highlights the misuse of authentic internet services to orchestrate cyber attacks, but also the reliance on multiple malware variants targeting Android, macOS, and Windows to increase the success rate. Attack chains entail the use of fake profiles and repositories on GitHub,
Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

Grandoreiro Banking Trojan Resurfaces, Targeting Over 1,500 Banks Worldwide

May 19, 2024 Banking Troja / Email Security
The threat actors behind the Windows-based  Grandoreiro  banking trojan have returned in a global campaign since March 2024 following a law enforcement takedown in January. The large-scale phishing attacks, likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model, target over 1,500 banks across the world, spanning more than 60 countries in Central and South America, Africa, Europe, and the Indo-Pacific, IBM X-Force said. While  Grandoreiro  is known primarily for its focus in Latin America, Spain, and Portugal, the expansion is likely a shift in strategy after attempts to  shut down its infrastructure  by Brazilian authorities. Going hand-in-hand with the broader targeting footprint are significant improvements to the malware itself, which indicates active development. "Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected
Android 15 Rolls Out Advanced Features to Protect Users from Scams and Malicious Apps

Android 15 Rolls Out Advanced Features to Protect Users from Scams and Malicious Apps

May 15, 2024 Android Security / Malware
Google is unveiling a set of new features in Android 15 to prevent malicious apps installed on the device from capturing sensitive data. This constitutes an update to the  Play Integrity API  that third-party app developers can take advantage of to secure their applications against malware. "Developers can check if there are other apps running that could be capturing the screen, creating overlays, or controlling the device," Dave Kleidermacher, vice president of engineering for Android security and privacy,  said . "This is helpful for apps that want to hide sensitive information from other apps and protect users from scams." Additionally, the Play Integrity API can be used to check if  Google Play Protect  is active and if the user's device is free of known malware before performing sensitive actions or handling sensitive data. Google, with Android 13, introduced a feature called  restricted settings  that by default blocks sideloaded apps from accessing
Malicious Android Apps Pose as Google, Instagram, WhatsApp to Steal Credentials

Malicious Android Apps Pose as Google, Instagram, WhatsApp to Steal Credentials

May 10, 2024 Cybercrime / Banking Fraud
Malicious Android apps masquerading as Google, Instagram, Snapchat, WhatsApp, and X (formerly Twitter) have been observed to steal users' credentials from compromised devices. "This malware uses famous Android app icons to mislead users and trick victims into installing the malicious app on their devices," the SonicWall Capture Labs threat research team  said  in a recent report. The distribution vector for the campaign is currently unclear. However, once the app is installed on the users' phones, it requests them to grant it permissions to the accessibility services and the  device administrator API , a now-deprecated feature that provides device administration features at the system level. Obtaining these permissions allows the rogue app to gain control over the device, making it possible to carry out arbitrary actions ranging from data theft to malware deployment without the victims' knowledge. The malware is designed to establish connections with a comman
New 'Brokewell' Android Malware Spread Through Fake Browser Updates

New 'Brokewell' Android Malware Spread Through Fake Browser Updates

Apr 26, 2024 Mobile Security / Cybercrime
Fake browser updates are being used to push a previously undocumented Android malware called  Brokewell . "Brokewell is a typical modern banking malware equipped with both data-stealing and remote-control capabilities built into the malware," Dutch security firm ThreatFabric  said  in an analysis published Thursday. The malware is said to be in active development, adding new commands to capture touch events, textual information displayed on screen, and the applications a victim launches. The list of Brokewell apps that masquerade as Google Chrome, ID Austria, and Klarna is as follows - jcwAz.EpLIq.vcAZiUGZpK (Google Chrome) zRFxj.ieubP.lWZzwlluca (ID Austria) com.brkwl.upstracking (Klarna) Like other recent Android malware families of its kind, Brokewell is capable of getting around restrictions imposed by Google that prevent sideloaded apps from requesting  accessibility service permissions . The banking trojan, once installed and launched for the first time, pro
Expert Insights / Articles Videos
Cybersecurity Resources