FortiGuard Labs Threat Research

Android Malware Masquerades as Banking App, Part II

By Kai Lu | November 18, 2016

New variants of android banking malware target even more German banks, popular social media apps, and more


In my previous blog I provided a detailed analysis of a new android banking malware that spoofed the mobile applications of several large German banks to trick users into revealing their banking credentials. This week I found several new variants of this growing malware, and in this update I am sharing these new findings.

Install the malware

One of these variants masquerades as another German mobile banking app. Once installed, its icon appears in the launcher, with the malware app icon appearing fairly similar to the bank’s legitimate app icon.

As in the previously reported variants of this malware, once the user launches the malware app it requests the device administrator rights, as shown below.

Figure 1. Requesting device administrator rights

Collecting device info

Once the malware application is installed, device information is collected and sent to the attacker’s server. The following is a capture of the device traffic. We can see that the malware version becomes “061116xxxxx,” showing that it is masquerading as the targeted bank app in order to launch an attack.

Figure 2. Malware device traffic capture

Targeting Google Play to steal the credit card info

In addition to targeting banks, this new malware variant includes the following key code snippet that also adds Google Play as a targeted app.

Figure 3 Malware targeting Google Play

In the previous blog, we showed that the variable a.c was empty. We speculated that it would be used for future malware activity. This variant has added Google Play as a target. We believe that the attacker is likely to continue to additional new targets.

As in other versions of this malware, when the user launches Google Play app for the first time it creates a screen overlay on top of the Google Play app, as shown in Figure 4.

Figure 4. A screen overlay on Google Play

It lures the user to input their credit card information (card number, holder name, expiration data, and CCV), as shown in Figure 5.

Figure 5. Input the visa card info

Once the user submits their credit card info, the malware sends this info to its C2 server. The traffic is shown below.

Figure 6. Send the credit card info to C2 server

Figure 7. The screen overlay of “Verified by Visa”

The malware is then able to verify if the card number submitted by the user is valid. If yes, the malware pops up a fake “Verified by Visa” view. The view includes DOB, address, post code, billing phone number, and password, as shown in Figure 8.

Figure 8. Input info for “Verified by Visa”


Once the user inputs this information and submits it, this data is also sent to its C2 server. The traffic is shown below.

Figure 9. Send “Verified by Visa” info to C2 server

If the user submits MasterCard card info, a different display is shown, as seen in Figure 10.

Figure 10. Input the MasterCard card info

After submission, the malware pops up a fake “MasterCard SecureCode” view. As with the Visa spoof, this view also includes DOB, address, post code, billing phone number and password, as shown in Figure 11.

Figure 11. The screen overlay of “MasterCard SecureCode”

The behavior occurs when the user submits American Express credit card info, as shown below in Figure 12.

Figure 12. Input American Express credit card info

After submission, the malware again pops up a fake “American Express SafeKey” view. The view also includes DOB, address, post code, billing phone number, and password, as shown in Figure 13, below.

These tricks are designed to capture the victim’s full credit card information, and uses “Verified by Visa,” “MasterCard SecureCode,” or “American Express SafeKey” displays to assure the victim that everything is normal.

Targeted bank list

This variant has also added some new banks as targets, including five banks in Austria. Base on this behavior, we expect this malware to continue to spread across the region.

New C2 Servers

The variant also uses six new C2 servers as follows.







Targeting popular social media apps

Two other variants of this malware family that we have discovered masquerade as flash player apps. Their version is “081116,” and their creation date should be Nov 8, 2016. They add some popular social media apps as targets. The following is a list of these spoofed apps.




We will use the spoofed Skype application to examine the behavior of this malware.

When the user launches the Skype app, the malware displays a screen overlay on top of the legitimate app, as shown in Figure 14.

Figure 14. A screen overlay for Skype

It shows the message “Your account has been frozen because we are unable to validate your information. Please validate your account HERE to avoid suspension.” It’s a classic phishing screen.

Next, it lures the user to input their credit card info.

Figure 15. Input the credit card info for Skype

Figure 16. Input billing info for Skype

Figure 17. Input info for “Verified by Visa”

From above figures, we can see that the malware is designed to steal the victim’s full credit card information. It also uses the “Verified by Visa,” “MasterCard SecureCode,” or “American Express SafeKey” screens to trick the user into thinking that their transaction was legitimate. The traffic is shown below.

Figure 18. Sending the full details of credit card to C2 server

The phishing screen overlay strategy targeting other social media apps is similar to the one shown for Skype app.


These malware samples are detected by Fortinet Antivirus signatures Android/Banker.GT!tr.spy and Android/Marcher.GT!tr. The traffic submitting the stolen info to the C&C server can be detected by Fortinet IPS signature Android.Banker.German.Malware.C2.


Based on our analysis, this malware family has good extensibility. The attacker can add new app lists easily in the code. These new variants have added the Google Play app and some other popular social media apps as targets in order to steal credit card information. And the “Verified by Visa,” “MasterCard SecureCode,” and “American Express SafeKey” screens are used convince victims that their transactions were legitimate. It also adds some new banks in Austria as targets. We predict that that list of targeted banks will continue to spread all over the world.

We will continue to monitor future activities from this malware family and ensure that an adequate security solution is developed in our products.


SHA256 Hash




C&C Server