New Telegram Based Malware Aberebot-2.0 Targets Social Media, CryptoCurrency Applications and 213 Banks in 22 Countries

In July, Cyble Research Lab unveiled Aberebot, a new Android banking malware for sale on the dark web. The malware’s creators have also lately announced the introduction of a new version with improved functionalities. The announcement in a dark web forum is shown in the below figure.

Figure 1: Announcement by Aberebot creator regarding new features and price (From Twitter

Aberebot is a new variant of Android Banking Trojan that steals sensitive information, including financial and personal details using phishing webpages. The new malware variant also uses Telegram APIs to interact with the operator(s). For limiting the size of the malware file, the operator/threat actor (TA) has hosted the phishing pages in a GitHub repository.

Recently, Cyble Research Lab spotted a version of Aberebot malware spreading through a website appearing to be from Croatia, as shown in Figure 2. Our team collected the sample from the website and performed an in-depth analysis. Based on our analysis, the Aberebot sample is an advanced version of the virus we discovered in July – it can be named Aberebot v2.0.

Figure 2: Screenshot of the website that spreads the Aberebotv2.0

APK URL: hxxps://itts[.]hr/FinaCertifikat/Fina.apk

Aberebot v2.0 includes new targets as well as additional malicious functionality. In addition to the functions found in the previous version, the malware has the following:

  • Steals messages from the popular chatting app and Gmail app.
  • URL Injection to steal cookies.
  • Inject values into financial applications.
  • Collect a list of files on the victim’s device.
  • Collect Clipboard Information.
  • Disable security features such as Google Play Protect.

Technical Analysis

The malicious APK was still present on the website during our investigation. The file details of the sample APK are given in the figure below.

Figure 3: APK File Info

APK File Info

The file information of the sample APK:

  • App Name: FinaCert
  • Package Name: com.example.autoclicker
  • SHA256 Hash: ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3

Manifest Information

The malware author has declared 18 different permissions, out of which 11 are dangerous. The abused permissions are given below.

Aberebot v1.0 permissionsAberebot v2.0 permissions
Table 1: Permissions present in versions 1.0 and 2.0

Once the user enables these permissions, Aberebot v2.0 can perform malicious activities such as:

  • Steal personal information such as contacts, SMSs, etc.
  • Monitor user activities in the device.
  • Spy on the user using device location.
  • Collect user files stored in the device’s storage.
  • Steal notifications from an application such as Gmail, etc.
  • Constantly execute in the background.

Alike v1.0, Aberebot v2.0 also abuses Accessibility Service to monitor user activities and applications executing in the device.

The malware author has incorporated QUERY_ALL_PACKAGES permission which was first introduced in Android 11. This permission determines that Aberebot v2.0 supports newer versions of Android.

 From the APK’s manifest, we also identified four entry-point classes:

  1. This class is executed initially and displays the starting page of the application and is also called the launcher activity.
  2. This class is executed when the device receives a new SMS and is also called as SMS receiver class.
  3. This class is initiated for every device boot ups.
  4. This class is initiated when the infected device receives a notification. This class is commonly called Notification listener service.

Apart from the classes above, we also found code similarities in the class names with the Aberebot v1.0.  Based on this, we could presume that this version is a continuation of version v1.0. From these entry point classes, the malware initiates different malicious behaviours.

Malicious Behaviours

As we have mentioned in a previous blog on Aberebot, we identified that the malware could perform malicious activities such as:

  • Steal credentials using HTML based phishing pages.
  • Intercepting OTP messages.
  • Exfiltrate contacts, SMSs.
  • Send SMSs to the number provided by TA.
  • Collect the list of applications installed on the device.
  • Hide app’s icon from device home screen.

The code (common in both v1.0 and v2.0) to collect and exfiltrate contacts is shown in the below figure.

Figure 4: Code to collect contact

In addition to these capabilities, the malware author has incorporated the below malicious features:

  • Exfiltrate a list of files present in the device and upload them to TA’s infrastructure based on the instruction.

The code used to collect the files list and transfer files to TA’s infrastructure using FTP is given below.

Figure 5: Code to collect a list of files and to upload a file to C&C using FTP
  • Performs keylogging using Accessibility service. Refer to the below figure.
Figure 6: Code to perform keylogging using Accessibility
  • Steal and upload clipboard data as shown in the below figure.
Figure 7: Code to collect Clipboard data
  • Collect device hardware information such as IMEI ID, IP address.
  • Exfiltrate GPS and cellular network-based location information.
  • Disable or uninstall the malware itself based on the instruction from TA.

The malware also steals messages from the popular chatting app and Gmail app by abusing the Notification listener service. The code is used to steal the messages using the Notification listener service.

Figure 8: Code to steal Gmail and chatting-app messages by intercepting notifications

In addition, the malware also uses phishing pages to collect user credentials and other malicious activities.

Phishing Pages

Alike version v1.0, the newer version also downloads phishing pages from a GitHub repository.

Figure 9: GitHub repository URL used for storing Phishing webpages

GitHub repo Link: hxxps://github[.]com/jamiesuper00/lucifer/raw/main/

During our investigation, the repository was taken down by GitHub, so we did not get more details on the phishing pages.

Aberebot downloads the phishing pages of targeted applications based on the country where the victim’s device is present.

Aberebot constantly monitors the devices’ activities. For example, when a user starts a banking or crypto application in the target list, the malware displays an overlay phishing page over the legit app. Upon login, the malware steals the cookies of the original application using the code shown below.

Figure 10: Code to steal cookies using phishing pages

In Aberebot v2.0, the malicious operator can inject values into user fields in banking, crypto, or social applications and perform fraudulent activities. This activity is performed based on the commands from the TA.

Figure 11: Code to inject values into fields

The malware author has also incorporated anti-sandbox technique in the newer version of Aberebot. The malware terminates by itself if the fake application is executing on a sandbox environment. Refer to the below figure.

Figure 12: Code to check for sandbox environment

The malware constantly monitors the device screen by abusing the Accessibility service and displays overlays with phishing pages.

Abusing Accessibility Service

When the victim enables the Accessibility permission, Aberebot enables all other permission without showing any alerts to the victim. Additionally, the malware restricts the user from accessing and modifying the settings page of the malicious application.

Aberebot_v2.0 also performs keylogging functionality by abusing the Accessibility service.

In addition, the malware constantly monitors the screen in the background. When the victims launch a target app, the malware creates an overlay screen with the opened app’s phishing page over the legit application. The overlay is created using WebView, as shown in the below figure.

Figure 13: Code to create an overlay using WebView

The data is uploaded to the Command & Control (C&C) server hosted on a Telegram bot when a user provides the credentials.

Commands & C&C server

Aberebot performs all the activities based on the commands from TA. As in version v1.0, the new version also uses Telegram bot as the C&C server. The URL of the bot is shown in the below code.

Figure 14: Telegram C&C URL present in the code

Telegram Bot URL: hxxps://api.telegram[.]org/bot1962569196

The commands used by the TA to perform activities are listed below.

startInitiate the execution and uploads hardware information
allPerforms all malicious activities
smsSends SMS to the number provided by TA
fileExfiltrates the list of files
contactUpload contacts present in the device
downloadDownload a file from FTP server
lockscreenLock/Unlock device screen
killbotUninstall Aberebot malware from the infected device
keylogUpload keylogged data
Table 2: Commands used in Aberebotv2.0

Targeted Application

In Aberebot v1.0, the malware was targeting 140 applications from 18 countries. The newer version is incorporated with the details of the 230 applications from 22 different countries. The list of targeted applications in the code is shown in the below figure.

Figure 15: Subset of targeted apps present in the code

The target includes banking applications, crypto wallet applications, and social account applications. The list of targeted apps is given in the below table.

Banking/Financial Application

Targeted Banking App/WebsitesCountry
com.maybank2u –  Maybank2u My appMalaysia
com.cimbmalaysia – CIMB Clicks MalaysiaMalaysia
at.spardat.bcrmobile- Touch 24 BankingAustria
at.spardat.netbanking – ErsteBank/Sparkasse BankingAustria
bawag – BAWAG Group websiteAustria – Bank Austria MobileBanking appAustria
easybank – Easy Bank websiteAustria
raiffeisen – App from Raiffeisen Bank websiteAustria
volksbank – Volks Bank websiteAustria
anzSingaporeDigitalBanking – Australian & New Zealand Bank websiteAustralia
bankofqueenslandBOQ – Bank of Queensland websiteAustralia
bankwest – Bankwest websiteAustralia
bendigobank – Bendigo and Adelaide Bank websiteAustralia
bombank – BOM Bank websiteAustralia
citibank – Citibank Australia websiteAustralia
commbank – Commonwealth Bank websiteAustralia
cua – Great Southern Bank websiteAustralia
fusionATMLocator – ATM Locator for Fusion BankAustralia
imb.banking – Mobile Banking app for IMB BankAustralia
ingdirect – ING Australia websiteAustralia
mebank – MeBank websiteAustralia
nab – National Australia BankAustralia
newcastlepermanent – Newcastle permanentAustralia
orgBanksaBank – BankSA Mobile BankingAustralia
stgeorge.Bank – St.George Mobile BankingAustralia
SuncorpBank – Suncorp Bank WebsiteAustralia
WestpacBank – Westpac BankAustralia – BMO Mobile BankingCanada – CIBC Mobile Banking appCanada – RBC Mobile appCanada – Scotiabank Mobile BankingCanada – TD Bank Canada appCanada
cleverlanceCsasServis24 – Česká spořitelnaCzech Republic
csobSmartbanking – CSOB Smart Banking websiteCzech Republic – My Air AppCzech Republic
eu.inmite.prj.kb.mobilbank – Mobilni BankCzech Republic
sberbankcz – SberBank appCzech Republic
sksporoappsCzech Republic – Noris Bank AppGermany
com.bochk.comHong Kong Kong
com.FubonMobileClientHong Kong
com.hangseng.rbmobileHong Kong
com.MobileTreeAppHong Kong
com.mtel.androidbeaHong Kong Kong Kong
nl.snsbank.mobielbetalenNetherlands Zealand Zealand Zealand Zealand
bankofscotlandUnited Kingdom
barclaysUnited Kingdom
csgcsdnmbUnited Kingdom
halifaxUnited Kingdom
hsbcUnited Kingdom
natwestUnited Kingdom
royalbankofscotlandUnited Kingdom
santanderUnited Kingdom
tsbUnited Kingdom
ulsterUnited Kingdom
bofaUnited States
capitaloneUnited States
chaseUnited States
com.att.myWirelessUnited States
com.vzw.hss.myverizonUnited States
fifththirdbetterUnited States
netellerUnited States
skrillUnited States
suntrustUnited States
usaaUnited States
usbankUnited States
WellsfargomobileUnited States
Table 3: List of Banking apps

Crypto Wallet Apps

Targeted Crypto App/WebsiteDescription
blockchaineCrypto trading company website
com.plunien.poloniexPoloniex Crypto Exchange
com.bitfinex.bfxappBitfinex Crypto trading app
com.bitmarket.traderBitMarket Crypto trading app
com.coinbase.androidCoinbase crypto trading app
com.mycelium.walletMycelium crypto wallet
com.unocoin.unocoinwalletUnocoin- India’s First Bitcoin & Crypto Exchange
com.oxigen.oxigenwalletOxygen Crypto Wallet in India website for trading crypto coins
Table 4: List of Crypto-related apps

Other targeted Apps

Targeted AppDescription
com.****appMulti-platform Centralized Chat app app
com.engageEngage app for digital field management
com.PlusPlus500: CFD Online Trading on Forex and Stocks website Mail & Cloud App
com.connectivityapps.hotmailConnect for Hotmail & Outlook: Mail and Calendar App
Table 5: List of social account-related apps

Latest news on Aberebot

During Cyble Research Labs dark web research, we came across an announcement by Aberebot creator on one of the forums. Refer to the below figure.

Figure 16: Recent announcement by the Aberebot’s author

According to the announcement, the creator of Aberebot has stopped developing the malware due to detections and other issues. Therefore, the source code is available for sale.


Aberebot v2.0 supports a newer version of Android and has incorporated new techniques and behaviors. In addition, the malware has announced that the source code is up for sale and requires obfuscation. We can expect that newer versions will come with sophisticated techniques. Our research also observed that the newer version has many detections in VirusTotal – we presume that the samples are not present in Play Store. This concludes that the malware is spread through other vectors such as Fake websites, Smishing, Email Phishing, or other Social Engineering campaigns. Furthermore, the malware must be installed using Android’s Sideloading feature. Therefore, Android users should know the apps installed using Sideloading and only install from the Google Play Store. Finally, the users should be attentive to notifications that appear while using the application, as they frequently indicate something unexpected or undesirable.

Our Reccommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:    

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store & Apple App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable device security features such as fingerprint or password for unlocking the mobile device.
  • Be wary of opening any links present in SMSs or Emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated to the latest versions.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi Data usage of application which are installed in mobile device.
  • Keep an eye on the alerts provided by AV’s and Android OS and take necessary actions.

What to do when you are infected?

  • Disable Wi-Fi/Mobile Data and remove SIM Card as in some cases the malware can re-enable the Mobile Data.
  • Perform Factory Reset.
  • Remove the application, incase factory reset is not possible.
  • Take backup of personal media Files (Exclude Mobile Applications) and perform Reset.

What to do in case of any fraudulent transaction.

  • In case of fraudulent transaction, immediately report it to the bank.
  • Suggestion – “What to do when you are infected?”

What banks should do to protect customers?

  • Bank Entity should educate the customer on preventing themselves from such malware attacks using modes such as telephone, SMS, or emails.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Defense EvasionT1406Obfuscated Files or Information
Defense EvasionT1444Masquerade as Legitimate Application
Credential AccessT1412Capture SMS Messages
Credential AccessT1414Capture Clipboard Data
Credential AccessT1409Access Stored Application Data
 DiscoveryT1421   System Network Connections Discovery
DiscoveryT1430Location Tracking
CollectionT1507 Network Information Discovery
CollectionT1432Access Contact List
Command and ControlT1571Non-Standard Port
Command and ControlT1573Encrypted Channel
ImpactT1447Delete Device Data

Indicators of Compromise (IOCs)

IndicatorsIndicator typeDescription
ee20d6abcf80df3a02c99b977ae6c948d2449f573daa9204ccc9fab6825883f3SHA256Hash of the APK sample
hxxps://itts[.]hr/FinaCertifikat/Fina.apkURLURL used to spread the malware
hxxps://api.telegram[.]org/bot1962569196URLC&C Telegram Bot URL

Comments are closed.

Scroll to Top