New Remo Android Banking Trojan Targets Over 50 Banking Applications And Crypto Wallets

Key Takeaways

  • A phishing site impersonating Binance distributes a new Android Banking Trojan “Remo” abusing the Accessibility service to steal sensitive information.
  • The malware targeted more than 50 banking and cryptocurrency wallet applications in Thailand, Vietnam, and Indonesia, exfiltrating sensitive information from these apps.
  • The malware leveraged the Accessibility service to capture screen text, and steal keystrokes from the targeted applications.
  • Analysis of the admin panel and code strings in the apk file suggested a possible China-originated Threat Actor (TA) behind the malware.
  • Malware can monitor clipboard data, which allows it to steal sensitive data without granting any permissions by the victim.


In today’s interconnected digital landscape, the threat of cyber phishing and scams has become a significant concern. Cybercriminals have cleverly exploited the convenience and connectivity that technology offers, crafting sophisticated schemes to trick unsuspecting individuals and organizations. Cyble Research and Intelligence Labs (CRIL) has been continuously monitoring crypto-based phishing and scams. In June 2023, we discovered a crypto mining scam distributing Roamer Android Banking Trojan targeting banking applications primarily in Vietnam and India.

CRIL subsequently discovered yet another Android Banking Trojan, the “gjf-p3.apk (f75e26936a8f3b55065cdad25ee3e37bdf94054bc5e242dc72ebb073e4f73c3d),” via a VirusTotal search. This new discovery showcased an expanded targeting scope, involving not only Vietnam but also Thailand and Indonesia.

Following an in-depth investigation, a phishing website was unearthed: hxxps://binancep2p[.]cc/, which imitates a legitimate Binance cryptocurrency platform distributing the same malicious APK file named “binance.apk (63e60c5c984dc379a273fc0e13be81bd3030466b7b2fc9695ec588edc24930e7)”.

Figure 1 – Binance phishing site downloads malicious APK file

During the scrutiny of the initial phishing site, an additional three phishing websites were identified. As of the writing of this blog, the following mentioned sites are inactive:

  • hxxps://binance-p2p[.]net/
  • hxxps://binanceb2c[.]com/
  • hxxps://vtelpuls[.]com/
Figure 2 – Additional phishing sites

The phishing website hxxps://vtelpuls[.]com/ was distributing an APK file named “Vtel.apk (sha256: 3f7e87646dfc76784942e044d0468ba8f2bc9495fa2710779dc36f7e53f53708).” This APK file’s source code closely resembled the one obtained from the phishing website that was pretending to be Binance. We also have suspicions that the other two websites might have played a role in distributing this potentially harmful APK file.

Furthermore, we suspect that the targeted individuals might have encountered these phishing websites through SMS or other messaging applications, potentially making them susceptible to this threat.

After examining the downloaded APK file, it was discovered that the downloaded malicious application targets more than 50 banking applications and cryptocurrency wallets from Thailand, Vietnam, and Indonesia. Like several other banking trojans, this malware also uses the Accessibility service to steal the credentials of the targeted applications.

Since July 2023, the malware has been operational, and as of the time of composing this blog post, the malware samples have been detected at a notably low rate as shown in the below figure.

Figure 3 – Malware samples have low detection

The Threat Actor (TA) has kept some of the malicious code inside the Android Library under the “Remo” and “service” folders as shown in the below figure.

Figure 4 – Malicious module kept inside the Android Library

A comprehensive analysis of the malicious file revealed that this variant of malware is distinct and has not been encountered in the wild previously. Given this uniqueness, we have named the malware “Remo Banking Trojan,” a moniker name derived from the consistent package name observed across all malicious samples. This naming convention enhances our ability to monitor the malware’s activities effectively.

For the technical analysis, we are considering the most recent sample of the Remo Banking Trojan, namely “gjf-p3.apk (f75e26936a8f3b55065cdad25ee3e37bdf94054bc5e242dc72ebb073e4f73c3d)”. This specific sample establishes communication with a Command and Control (C&C) server located at hxxps://vnoffs[.]cyou:8081. Notably, the admin panel is also hosted on this URL. Upon examination of the admin panel, it becomes evident that certain strings are written in Chinese. Additionally, some strings present in the code are also in the Chinese language, suggesting that a TA could be of China origin.

The below figure shows the admin panel.

Figure 5 – Admin Panel

The malware employs strong obfuscation techniques to complicate reverse engineering and the strings present within the files are encrypted. Malware has implemented a custom decryption process to decrypt strings. The code snippet displayed in the figure below illustrates the specific logic that the malware employs to decrypt these encrypted strings.

Figure 6 – String decryption code

Technical Analysis

APK Metadata Information  

  • App Name: ARK
  • Package Name:
  • SHA256 Hash: f75e26936a8f3b55065cdad25ee3e37bdf94054bc5e242dc72ebb073e4f73c3d
Figure 7 – Application metadata information

After being installed, the Remo Banking Trojan establishes a connection with the C&C server at hxxps://vnoffs[.]cyou:8081/device/getAllDeviceAppPackageSetting. During this connection, it acquires a list of specific banking and cryptocurrency wallet applications that it aims to target. This list includes details such as the ID, package name, application name, and its disabled status, as shown in the figure below.

Figure 8 – Malware receives targeted application list

The table provided below lists the package names and application names of the targeted applications as targeted by the Remo banking trojan.

Package name Application name
com.vnpay.bidv BIDV Techcombank
com.VCB VCB Digibank
com.vietinbank.ipay VietinBank
com.vnpay.Agribank3g Agribank ACB
com.vnpay.vpbankonline VPBank
com.tpb.mb.gprsandroid TPBank Sacombank
com.mbmobile MB Bank
com.vnpay.hdbank HDBank MSB
com.ocb.omniextra OCB
com.mservice.momotransfer MOMO
com.bca BCA mobile
id.bmri.livin Livin’ by Mandiri BNI Mobile Banking
com.jago.digitalBanking Jago
com.bsm.activity2 BSI Mobile
com.ocbcnisp.onemobileapp OCBC Mobile BRILink Mobile M2U myBCA Digibank Indonesia
com.alloapp.yump allo bank D-Bank PRO
net.myinfosys.PermataMobileX PermataMobile X SeaBank
com.bplus.vtpay Viettel Money ZaloPay
wifi.gps.input Input
th.or.gsb.coachaom Coachaom NEXT
com.bbl.mobilebanking Bualuang mBanking
com.kasikorn.retail.mbanking.wap K PLUS SCB EASY
com.krungsri.kma KMA
com.kbzbank.kpaycustomer KBZPay UOB TMRW
com.ktb.customer.qr Paotang imtoken
vn.shb.mbanking SHB Mobile
com.bitpie Bitpie Wallet
io.metamask MetaMask Binance
pro.huobi HuoBi Bybit OKX
vip.mytokenpocket TokenPocket
app.vitien.vitien Vitien

Upon obtaining the list of targeted applications, the malware verifies the targeted application’s existence on the compromised device. It then transmits both the application’s name and package name along with the version number for each targeted application to the C&C server at hxxps://vnoffs[.]cyou:8081/device/saveAppList as shown below.

Figure 9 – Malware sends targeted application information installed on the victim’s device to the C&C server

Simultaneously, malware prompts the victim to enable Accessibility service. Once the service is enabled, the malware abuses the service to execute banking Trojan activity, prevent uninstallation, and grant auto permissions as shown below.

Figure 10 – Malware prompts to enable the Accessibility service

In the background, the malware continuously transmits data from the infected device to the C&C server hxxps://vnoffs[.]cyou:8081/device/addOrUpdateDevice. The data includes a wide range of information, such as the status of the Accessibility service, the package name of the currently running application, contents of the clipboard, time zone settings, and basic device details as shown in Figure 11. One notable aspect is the malware’s persistent collection of clipboard content, enabling the TA to gather sensitive data from the victim’s device without requiring any explicit permissions.

Figure 11 – Malware sends clipboard content with other device information

After gaining permission for the Accessibility service from the victim, the malware exploits this service to identify the targeted banking or cryptocurrency wallet applications installed in the victim’s device. When the malware detects the victim’s interaction with any of these applications, it captures all the visible text on the current screen.

Subsequently, the malware transmits this extracted text, along with the app name, package name, and current activity component name of the target application, to the C&C server hxxps://vnoffs[.]cyou:8081/device/saveScreenText. The compromised information can be used by the TA to exfiltrate credentials and other confidential data from the targeted application. The below figure shows an example of the exfiltration of screen text from the targeted crypto wallet application.

Figure 12 – Malware sends text from the targeted application’s screen

The Remo Banking Trojan additionally monitors the edit text fields within the targeted applications and proceeds to transmit any sensitive information entered by the victim to the C&C server hxxps://vnoffs[.]cyou:8081/device/saveKeyboardEvent. The figure below depicts how the malware captures a victim’s wallet mnemonic phrase through keylogging techniques.

Figure 13 – Malware steals a mnemonic phrase from the targeted crypto application using keylogging

Additionally, Remo Banking Trojan also steals all the contacts stored from the infected device and sends them to the C&C server “hxxps://vnoffs[.]cyou:8081/device/saveAddressBookList”. However, this particular URL is not available on the server, as shown in the below figure.

Figure 14 – Malware steals contact list


The Remo Banking Trojan represents a sophisticated cyber threat that specifically targets Android users in Southeast Asia, particularly in Thailand, Vietnam, and Indonesia. This malware employs various tactics, including phishing, keylogging, and accessibility service exploitation, to steal sensitive information from banking and cryptocurrency wallet applications. Notably, the malware’s utilization of a counterfeit Binance platform, combined with its ability to evade detection effectively, highlights the increasing inventiveness of cybercriminals in developing powerful and dangerous threats.

The malicious APK, distributed through phishing websites, establishes a connection with a C&C server, allowing the malware to carry out its malicious activities. The Chinese origin implication, although speculative, suggests the involvement of a TA with an advanced level of sophistication. The use of custom encryption and decryption processes further highlights the malware’s attempt to evade traditional security measures.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Play Store or the iOS App Store.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • Avoid copy pasting sensitive information such as ID Password of banking crypto, digital locker, or any other social media app.
  • Using a reputed antivirus and internet security software package is recommended on connected devices, including PC, laptops, and mobile.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques


Tactic Technique ID Technique Name
Defense Evasion T1629.001 Impair Defenses: Prevent Application Removal
Credential Access T1414 Clipboard Data
Credential Access T1417.001 Input Capture: Keylogging
Discovery T1418 Software Discovery
Discovery T1426 System Information Discovery
Collection T1636.003 Protected User Data: Contact List
Exfiltration T1646 Exfiltration Over C2 Channel

Indicators of Compromise (IOCs)

Indicators Indicator Type Description






hxxps://binancep2p[.]cc/ URL Distribution site






Hash of analyzed file “gjf-p3.apk”
hxxps://vnoffs[.]cyou:8081 URL C&C server






Remo Banking Trojan






Remo Banking Trojan
hxxps://vtelpuls[.]com/apk/download/Vtel.apk URL Distribution URL






Remo Banking Trojan







Remo Banking Trojan


Scroll to Top