BankBot¶
BankBot holds a unique position in Android malware history: it was the first banking trojan whose complete source code was published openly on an underground forum, giving any motivated actor a working credential-theft toolkit with minimal effort. Everything that followed in the Android banking trojan space, from Anubis to Cerberus, traces at least part of its lineage to the code maza-in shared in December 2016.
Overview¶
| Property | Value |
|---|---|
| First Seen | December 2016 (source published on exploit.in) |
| Last Seen / Status | Active variants through late 2018; codebase lives on through descendants |
| Type | Banking trojan |
| Attribution | "maza-in" (initial author); numerous independent operators post-publication |
| Aliases | BankBotAlpha (Fortinet designation for earliest variant), Android.BankBot.149.origin (Dr.Web), MazaBot |
Origin and Lineage¶
On December 19, 2016, a Russian-speaking actor known as "maza-in" published a tutorial called "Android BOT from scratch" on the exploit.in forum. The post included full source code for both the Android client application and the PHP C2 panel. As Fortinet's analysis documents, maza-in claimed over 10 years of development experience and framed the release as educational, but the tutorial included antivirus cross-scanning results that were continuously updated, confirming malicious intent.
Dr.Web detected the first in-the-wild variant in January 2017, cataloging it as Android.BankBot.149.origin. Because both the Android APK source and the server-side panel were freely available, variants proliferated rapidly. Fortinet distinguished between the original "BankBotAlpha" and its evolved descendants: the strings, C2 commands, and even typos remained consistent across versions, but later variants added anti-analysis, obfuscation, and expanded target lists.
Maza-in continued private development of the codebase, eventually producing Anubis as a significantly enhanced commercial version. Meanwhile, independent actors forked BankBot in various directions throughout 2017-2018. The Check Point end-to-end analysis documented how the open availability of BankBot source transformed the Android threat landscape by removing the development barrier entirely.
Distribution¶
BankBot operators demonstrated early success at bypassing Google Play's Bouncer scanner:
Google Play campaigns: Trojanized apps disguised as flashlight utilities, solitaire games, and device cleaners repeatedly landed on Google Play. Avast, ESET, and SfyLabs jointly reported that the "Tornado FlashLight" app (first spotted October 13, 2017) was followed by "Lamp For DarkNess" and "Sea FlashLight," all carrying BankBot payloads.
Dropper technique: ThreatFabric documented sophisticated dropper campaigns where apps exhibited legitimate functionality for an extended period before activating malicious behavior. The droppers abused Accessibility Service to silently enable installation from unknown sources and request Device Admin privileges.
Third-party stores: Beyond Google Play, BankBot APKs circulated through third-party app stores and direct download links distributed via SMS phishing.
ESET tracked a September 2017 variant as the first to combine improved code obfuscation, payload-dropping functionality, and Accessibility Service abuse in a single infection chain on Google Play.
Capabilities¶
Core Feature Set¶
| Capability | Implementation |
|---|---|
| Overlay injection | Displays fake login UI over legitimate banking apps when launched |
| SMS interception | Intercepts and hides incoming SMS for OTP/2FA theft |
| SMS sending | Sends SMS from victim device (premium SMS fraud, worm-like spreading) |
| Contact theft | Exfiltrates device contact list |
| Call forwarding | Redirects incoming calls |
| Device tracking | Reports GPS location to C2 |
| App list enumeration | Reports installed applications to C2 for target matching |
| Device Admin abuse | Requests admin privileges to resist uninstallation |
BankBotAlpha vs. BankBot Evolution¶
| Feature | BankBotAlpha (Dec 2016) | BankBot (2017+) |
|---|---|---|
| Target list | Hardcoded in StartWhile class |
Fetched dynamically from C2 |
| Banking apps targeted | ~20 Russian banks | 150-420+ banks across 27+ countries |
| Obfuscation | None | String encryption, code obfuscation, delayed payload activation |
| Accessibility abuse | Minimal | Full Accessibility Service for silent installs, UI manipulation |
| Anti-analysis | None | Emulator detection, delayed activation to evade sandbox analysis |
| Distribution | Side-loading | Google Play droppers, third-party stores |
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Silent install from unknown sources, UI manipulation, overlay injection (2017+ variants) |
| SYSTEM_ALERT_WINDOW | Display overlay windows over banking apps (pre-Android 8) |
| BIND_DEVICE_ADMIN | Device admin for persistence and anti-uninstall |
| READ_SMS | SMS interception for OTP/2FA theft |
| RECEIVE_SMS | Real-time SMS interception |
| SEND_SMS | Premium SMS fraud, worm-like spreading via contact list |
| READ_CONTACTS | Contact exfiltration |
| READ_PHONE_STATE | Device fingerprinting (IMEI, phone number) |
| CALL_PHONE | Call forwarding |
| ACCESS_FINE_LOCATION | GPS location tracking |
| INTERNET | HTTP C2 communication |
| RECEIVE_BOOT_COMPLETED | Restart after device reboot |
| REQUEST_INSTALL_PACKAGES | Install additional payloads (dropper variants) |
Technical Details¶
C2 Communication¶
BankBot communicates with its C2 server over HTTP. The bot registers with device metadata (IMEI, phone number, installed apps, OS version) and polls for commands at configurable intervals. The C2 panel, written in PHP, provides operators with a web interface for managing bots, pushing overlay templates, and viewing exfiltrated credentials.
Commands are issued as plaintext strings in early versions. Later variants introduced basic encryption of the request/response body. Fortinet noted that the C2 command set remained largely stable across variants, with identical command strings and even consistent grammatical errors in the code.
Overlay Mechanism¶
BankBot monitors running applications and matches them against its target list. When a targeted banking app is detected in the foreground, BankBot pushes a WebView overlay that visually replicates the app's login screen. Credentials entered into the overlay are transmitted to the C2. Early versions hardcoded the target list and overlay HTML; later versions fetched both dynamically.
The overlay injection relies on either TYPE_SYSTEM_ALERT window type (pre-Android 8) or Accessibility Service-based injection (Android 8+). This shift was a direct response to Google restricting SYSTEM_ALERT_WINDOW permissions.
Persistence¶
BankBot requests Device Admin privileges during initial setup. If granted, the malware cannot be uninstalled through normal means without first revoking admin status. Some variants also register as the default SMS handler to maintain SMS interception across device reboots.
C2 Infrastructure¶
| Component | Details |
|---|---|
| Protocol | HTTP (plaintext in early versions, basic encryption in later variants) |
| Panel | PHP-based web interface for bot management, credential viewing, command dispatch |
| Registration | Device metadata sent on first contact (IMEI, phone number, installed apps, OS version) |
| Command polling | Configurable interval HTTP polling for new instructions |
| Overlay hosting | HTML templates for WebView overlays (hardcoded in early versions, C2-served in later variants) |
| Source availability | Full panel and bot source code publicly available from December 2016 |
Target Regions and Financial Institutions¶
BankBot's open-source nature meant target lists varied widely by operator. The most comprehensive campaigns spanned:
| Region | Notable Targets |
|---|---|
| North America | Wells Fargo, Chase, Citibank |
| Europe | DiBa, banks in Germany, France, Spain, Portugal, Poland, Greece, Netherlands |
| Turkey | Major Turkish banking apps |
| Australia | Major Australian banking apps |
| Russia | Sberbank, other Russian banks (initial BankBotAlpha targets) |
| Southeast Asia | Banks in Singapore, Philippines |
| Latin America | Banks in Dominican Republic |
Avast reported that a single late-2017 campaign targeted users across the U.S., Australia, Germany, Netherlands, France, Poland, Spain, Portugal, Turkey, Greece, Russia, Dominican Republic, Singapore, and Philippines.
Notable Campaigns¶
January 2017, first wild variants: Dr.Web cataloged Android.BankBot.149.origin as the first BankBot variant observed in the wild, within weeks of the source code publication. Targeting focused on Russian banking apps.
April 2017, Google Play infiltration: Check Point documented BankBot variants posing as entertainment and banking apps on Google Play, targeting 20+ banks in 27 countries. This marked the beginning of BankBot's repeated success at bypassing Google Play screening.
May 2017, ThreatFabric botnet analysis: ThreatFabric uncovered a botnet of 5,499 infected devices running BankBot. A single C2 server contained 276 harvested banking credential sets. The campaign targeted 420+ banking applications with overlay templates.
September 2017, ESET accessibility variant: ESET identified the first BankBot variant on Google Play to combine code obfuscation, dropper functionality, and Accessibility Service abuse in a single infection chain.
October-November 2017, flashlight/solitaire wave: A joint investigation by Avast, ESET, and SfyLabs revealed BankBot hidden in flashlight and solitaire apps. Some of these apps also dropped secondary payloads including Mazar Bot and Red Alert malware, demonstrating multi-family dropper coordination.
Evolution¶
| Phase | Period | Key Changes |
|---|---|---|
| Source publication | December 2016 | Full Android client + PHP panel published on exploit.in by maza-in |
| First wild variants | January 2017 | Basic overlay attacks targeting ~20 Russian banks |
| Google Play infiltration | April-May 2017 | Dropper apps on Google Play, 420+ bank targets, 27+ countries |
| Accessibility abuse | September 2017 | Silent installs, UI manipulation, improved obfuscation |
| Multi-family droppers | October-November 2017 | BankBot apps dropping secondary payloads (Mazar Bot, Red Alert) |
| Superseded by Anubis | Late 2017-2018 | Maza-in's private development fork becomes Anubis |
| Legacy | 2018+ | Direct variants decline as operators migrate to more capable successors |
Detection¶
| Indicator Type | Details |
|---|---|
| Device Admin request | App requesting device administrator without MDM functionality |
| Overlay windows | TYPE_SYSTEM_ALERT windows rendered over banking apps (pre-Android 8) |
| SMS handler registration | App registering as default SMS handler |
| Accessibility abuse | App using accessibility service to silently enable unknown sources and grant device admin |
| C2 command strings | Consistent command strings and grammatical errors across variants (identifiable pattern) |
| Delayed activation | App exhibiting normal behavior for days before activating malicious functionality |
Related Families¶
| Family | Relationship |
|---|---|
| Anubis | Direct successor. Maza-in continued private development of BankBot into Anubis, adding keylogging, screen recording, VNC, and ransomware. |
| GodFather | Second-generation descendant. Built on the leaked Anubis source, which itself evolved from BankBot. |
| Cerberus | Influenced by BankBot's open-source model. Cerberus adopted similar overlay injection techniques and later had its own source leaked. |
| Ermac | Third-generation descendant through the Cerberus leak lineage, inheriting overlay and credential-theft patterns that trace back to BankBot. |
References¶
- Fortinet - BankBot: The Prequel
- Fortinet - A Look Into the New Strain of BankBot
- Dr.Web - Android.BankBot.149.origin (January 2017)
- Check Point - The Mobile Banker Threat From End to End
- Avast - Mobile Banking Trojan Sneaks Into Google Play (November 2017)
- ESET - Banking Trojan Returns to Google Play (September 2017)
- ThreatFabric - Sophisticated Google Play BankBot Trojan Campaigns