Banking Trojan Variant Spreading Through Android App

During our routine research operations/activities, Cyble Researchers found a variant of a banking Trojan that spreads through Android applications and steals the user’s sensitive information. Based on a post on Twitter, the fake banking application impersonated the prosecutor’s office of South Korea, with Korea as the primary target. 

A banking Trojan is a malicious piece of software designed to gain unauthorized access to confidential information stored or processed through online banking systems. Generally, a Trojan performs malicious activities without the knowledge of the user. It establishes remote access connections, captures keyboard inputs, collects system information, downloads/uploads files in the victim’s machine, drops various malware into the infected system, performs Denial-of-Service (DoS) attacks, and runs or terminates processes. 

Among various types of Trojans, attackers extensively use banking Trojans for multiple purposes, such as monitoring user activity and collecting sensitive data. Also known as ‘Spybot,’ these are one of the top 3 preferred malware tools. These banking Trojans pretend to be legitimate applications and spy on targeted victims after installation. 

The malware sample we found belongs to the Trojan family and targets Android mobile devices. Once the attacker successfully installs the malware in the victim’s device, it performs various malicious activities listed below: 

  • Stealing usernames and passwords from online banking services 
  • Collecting data such as the user’s banking information (cardholder name, card number, CVV, and expiration date). 
  • Gathering call logs and contacts 
  • Reading SMS content from the device and storing the data within the device 
  • Reading SMS notifications received from user’s device. 
  • Collecting the machine’s information 
  • Having keylogger functionality 

Technical Analysis: 

Cyble researchers found a sample of the banking Trojan and performed our technical analysis on it to know more about it. The malware application we used for our analysis is:  


Package Name: 

Main Activity: pkgflag.cocknut.yummy.MainActivity 

We performed the static analysis of the sample and found that the application has been defined with many permissions listed in Figure 1. 

Figure 1 Permissions Requested by the App 

On performing the dynamic analysis of the sample, the applications launch the main activity and displays the main screen, as shown in Figure 2. 

Figure 2 App’s Main Screen 

Some of the permissions, services, and receivers that may perform malicious activities are listed below: 


  • android.permission.DISABLE_KEYGUARD 
  • android.permission.PROCESS_OUTGOING_CALLS 
  • android.permission.ACCESS_COARSE_LOCATION 
  • android.permission.INTERNET 
  • android.permission.ACCESS_FINE_LOCATION
  • android.permission.WRITE_CALL_LOG 
  • android.permission.READ_CALL_LOG 
  • android.permission.WRITE_EXTERNAL_STORAGE 
  • android.permission.RECORD_AUDIO 
  • android.permission.WRITE_CONTACTS 
  • android.permission.CALL_PHONE 
  • android.permission.READ_PHONE_STATE 
  • android.permission.READ_SMS 
  • android.permission.SYSTEM_ALERT_WINDOW 
  • android.permission.CHANGE_WIFI_STATE 
  • android.permission.RECEIVE_SMS 
  • android.permission.READ_CONTACTS 


  • pkgflag.cocknut.yummy.MainActivity 
  • Org.groobe.fuick.KeepActivity66 


  • pkgflag.hide.deeper.service.CoreService 
  • pkgflag.hide.deeper.service.LocationService 
  • pkgflag.standalone.WindowInService 
  • pkgflag.standalone.WindowOutService2 
  • org.groobe.service.LocalService33 
  • org.groobe.HideForegroundService55 
  • org.groobe.JobHandlerService44 
  • Org.groobe.service.RemoteService22 


  • kgflag.hide.receiver.CallReceiver 

Intent Filters by Action: 

  • android.intent.action.MAIN 
  • android.intent.action.PHONE_STATE 
  • android.intent.action.NEW_OUTGOING_CALL 
  • android.intent.action.USER_PRESENT 

The app uses the permissions granted by the users to perform activities on their devices as discussed below: 

  1. Tracking the user’s location from the compromised device 

Figure 3 Code for Location Tracking

  1. Checking for internet connectivity in the infected device 

Figure 4 Query on Internet Connectivity 

  1. Recording audio source or media contents from the infected device 

Figure 5 Media content collected from the device 

  1. Accessing the private ITelephony interface to use it for blocking phone calls 

Figure 6 Blocking Phone calls using Telephony Manager 

  1. Terminating processes at the backend 

Figure 7 Killing the processes of the device 

  1. Service/Receivers are registered when the screen is in off status using intent action 

Figure 8 Registers the service/receivers when the screen is in off status 

  1. Checking for the network operator name 

Figure 9 Query for the Operator name of the network 

  1. Using encryption techniques to encrypt the device information. 

Figure 10 Code for encrypting device information 

  1. Using the Outgoing call permission to monitor outgoing calls 

Figure 11 Monitoring outgoing calls 

  1. Collecting the list of installed packages from the infected device 

Figure 12 Code that fetches the list of installed packages from the device 

  1. Storing the information collected from the device in strings 

Figure 13 Collects the lists of information 

The sensitive information collected by the malware is sent to the Command-and-Control (C2) server, using the code showcased in Figure 14. 

Figure 14 C2 builder using Header Interceptor 

C2 link: hxxp[:]//103.147[.]12.89/api/interfaceA 

The banking Trojan family has always maintained a simple code format and brought in new campaigns from time-to-time. The challenge associated with the malware is the ease with which the code can be obtained and modified by cybercriminals to launch a sophisticated attack.  

Safety Recommendations: 

  1. Verify the privileges and permissions requested by apps before granting access. 
  1. Install mobile applications downloaded only through trusted application stores. 
  1. Keep your antivirus software updated so that it can detect and prevent malware infections. 
  1. Keep your system and applications updated. 
  1. Use strong passwords and enable two-factor authentication during logins. 
  1. People concerned about the exposure of their stolen credentials in the darkweb can register at to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic Technique ID Technique Name 
Defense Evasion T1406 Obfuscated Files or Information  
Credential access T1412 Capture SMS Message  
Discovery T1430 T1426 T1421 T1424 1.  Location Tracking 2. System Information Discovery 3. System Network Connections Discovery 4. Process Discovery 
Collection T1430 T1412 T1432 T1433 T1429 1. Location Tracking 2. Capture SMS Messages 3. Access Contact List  4. Access Call Logs 5. Capture Audio 
Command and Control T1573 T1071 T1571 1. Encrypted Channel 2. Application Layer Protocol 3. Non-Standard Port 
Impact T1447 Delete Device Data 
Exfiltration T1532 Data Encrypted 

Indicators of Compromise (IoCs): 

IOC  IOC Type  
e609ac709a6b80b0ceb58c646735fc597db0483ff637e93acf9be028c07900d7 SHA256   
hxxp[:]//103.147[.]12.89/api/interfaceA Interesting URL 
103.147.12[.]89 Suspicious IP address (communicating IP) 

About Cyble: 
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Scroll to Top