Banking Trojan found in Google Play
Adware | 10/03/2018

Google Play Store Haunted by Banking Malware

About: QRecorder, a malicious app masquerading as a legitimate voice recorder utility landed a couple of bank customers in Europe in trouble. The malware planted in the pernicious voice and call recording tool embezzled thousands of euros from its us...  Read More  

| Adware | Google Play Store Haunted by Banking Malware

Banking Trojan found in Google Play


Banking Trojans are not new to the cyber-crime world. It is a malicious computer program designed to gain access to confidential banking information. This type of malicious system program is built with a backdoor to allow third parties to gain access to the system.Banking Trojan found in Google Play

As the security technologies especially in banking domain continue to improve, malware codes are being constantly evolved to evade detection. The financial cyber-crime landscape is hence, constantly changing and evolving to keep pace with the rising awareness and the increasing effectiveness of banking controls.

With the increasing popularity of mobile among people for carrying out any transaction, cyber-criminals have embraced mobile as their platform of choice to carry out fraudulent activities. Since 2015 there has been a tremendous increase in the design and launch of fake mobile apps to deceive users. The nature of fake application depends on the goals of cyber-criminals who use different strategies to build and deploy them.

Android Malware Stealing Banking Information

Recent research revealed that a Banking Trojan found in Google Play. A malicious app intending to automatically record voice and calls was found in the official Android store.Banking Trojan found in Google Play

QRecorder app, a phone call recording utility is known to have stolen thousands of euros from two European individuals. 10,000 downloads of the app reveal the app popularity among the masses. The call recorder app worked as advertised in order to avoid any kind of suspicion.

The huge number of downloads reveal that the app worked properly initially. The malware is expected to have been added in the last update.

Razdel-  A BankBot variant Responsible for the malice

The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating:

  • Remote access Trojan functions,
  • SMS interception,
  • UI (User Interface) Overlay with masqueraded pages etc.

Once the app is installed on your mobile:

  1. It seeks permission to cover other applications on your phone with its interface.Banking Trojan found in Google Play
  2. The Trojan is programmed to intercept the text messages.

These features are sufficient to embezzle users of their hard earned money. Intercepting text messages was leveraged to bypass two- factor authentication code that user received via SMS. Fake Screen overlay was used to put the banking credentials and other details straight in the hands of threat actors.

Moreover, within 24 hours of installation, the Banking Trojan found in Google Play develops a connection with the C&C (Command & Control) server. The successful installation of the fraud app is followed by a malicious script from the server that scans the device for specific German, Polish and Czech banking apps like:

  1. Raiffeisen Bank,
  2. ČSOB and Česká Spořitelna two of the largest banks in the Czech Republic
  3. Oberbank
  4. Fio
  5. Bawag
  6. ING
  7. Equa
  8. Air Bank
  9. Bank Austria etc.

So, whenever the targeted banking app was launched, the malware covered it with a phishing screen to collect the username and password. The collected information was then sent to the malware authors.Banking Trojan found in Google Play

While this malicious app has been removed from the official Android store, Google is constantly striving against cyber criminals attempting to use the official Android marketplace to distribute malware. Recently the official app store was criticised for housing apps that entangled users in a booby trap without their knowledge. These include :

How to protect against installing malicious apps?

  1. Users are recommended to check for the app popularity, its reviews and ratings before installing any app.
  2. Authenticated antivirus programs like Avira & Hitman Pro should be installed and regularly updated to keep distance from malicious apps.

Hits: 349

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866