10 New Android Banking Trojans Targeted 985 Apps in 2023

According to experts from Zimperium, ten new families of Android banking trojans emerged in 2023, collectively targeting 985 banking, financial, and retail apps across 61 countries. In addition to these new trojans, 19 malware families from 2022 were modified, gaining new features and becoming more sophisticated. Among the updated malware families from 2022, the most active were Teabot, Exobot, Mysterybot, Medusa, Cabossous, Anubis, and Coper.

After analyzing all 29 active malware families, researchers highlighted several new trends:

• The addition of automated transfer systems (ATS) that intercept MFA tokens, initiate transactions, and transfer funds.
• Use of social engineering tactics, where attackers pose as support agents to trick victims into downloading malicious payloads themselves.
• Implementation of real-time screen-sharing capabilities for direct remote interaction with infected devices.
• Offering malware as a subscription service to other cybercriminals, with prices ranging from $3,000 to $7,000 per month.

Standard features found in most of the analyzed banking trojans include keyloggers, phishing overlays, and SMS theft. Another concerning trend this year is that banking trojans are increasingly targeting not just banking credentials and funds, but also social networks, messengers, and victims’ personal data.

Overview of the 10 New Malware Families

Experts studied over 2,100 variants of these new trojans, which often disguise themselves as utility tools, productivity apps, entertainment portals, photo editors, games, and educational resources. The new trojans are:

• Nexus: Malware-as-a-service (MaaS) with 498 variants, offers real-time screen-sharing, targets 39 apps in nine countries.
• Godfather: MaaS with 1,171 known variants, targets 237 banking apps in 57 countries, also supports remote screen-sharing.
• Pixpirate: Trojan with 123 known variants, uses an ATS module, targets 10 banking apps.
• Saderat: Trojan with 300 variants, targets eight banking apps in 23 countries.
• Hook: MaaS with 14 known variants, supports screen-sharing, targets 468 apps in 43 countries, available for rent at $7,000 per month.
• PixBankBot: Malware with three known variants, targets four banking apps, equipped with an ATS module.
• Xenomorph v3: MaaS with six variants, supports ATS, targets 83 banking apps in 14 countries.
• Vultur: Trojan with nine variants, targets 122 banking apps in 15 countries.
• BrasDex: Targets eight banking apps in Brazil.
• GoatRat: Malware with 52 known variants, equipped with an ATS module, targets six banking apps.

Most Targeted Countries in 2023

The countries most affected by these attacks in 2023 were:

1. United States (109 targeted banking apps)
2. United Kingdom (48 banking apps)
3. Italy (44 apps)
4. Australia (34)
5. Turkey (32)
6. France (30)
7. Spain (29)
8. Portugal (27)
9. Germany (23)
10. Canada (17)