TsarBot¶
TsarBot is an Android banking trojan discovered by Cyble in March 2025 targeting over 750 applications across banking, finance, cryptocurrency, e-commerce, and social media sectors. It spreads through phishing sites impersonating financial platforms, deploys via a dropper disguised as Google Play Services, and uses overlay attacks combined with on-device fraud capabilities to steal credentials and execute unauthorized transactions. TsarBot communicates with its C2 infrastructure over WebSocket connections across four dedicated ports, supports roughly 30 server-issued commands for real-time device control, and conceals its fraudulent activity behind a black overlay screen.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | March 2025 |
| Status | Active |
| Type | Banking trojan, on-device fraud |
| Attribution | Suspected Russian-speaking developer |
| Distribution | Phishing sites, dropper disguised as Google Play Services |
Origin and Lineage¶
Cyble's analysis identified Russian-language log entries within the malware, suggesting a Russian-speaking developer or team. The name "TsarBot" reflects this suspected origin. TsarBot arrived as a capable threat from its first observed samples, with a broad target list spanning multiple continents and application categories from the outset.
The overlay-based credential theft approach places TsarBot in the same operational category as families like Cerberus, Ermac, and Hook, though no direct code lineage to these families has been established. TsarBot's WebSocket-based C2 architecture and dedicated port structure differentiate it from the HTTP-based communication patterns common in older banking trojan families.
Distribution¶
TsarBot spreads through phishing sites that impersonate legitimate financial platforms. Cyble observed one campaign using a phishing site mimicking the Photon Sol token trading platform, offering a fake download option that the legitimate site does not provide. The downloaded dropper disguises itself as Google Play Services and installs the TsarBot payload.
| Vector | Details |
|---|---|
| Phishing sites | Fake financial platform websites offering malicious APK downloads |
| Dropper | Disguised as Google Play Services to appear legitimate |
| Social engineering | Lures tied to cryptocurrency trading and financial services |
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Overlay attacks | Fake login pages over 750+ banking, crypto, e-commerce, and social media apps |
| Screen capture | Streams screen content to C2 via WebSocket on port 9002 |
| Remote device control | Simulates taps, swipes, and credential entry for on-device fraud |
| Black overlay screen | Hides fraudulent on-screen activity from the victim |
| Lock grabbing | Captures device unlock PIN, password, or pattern via fake lock screen |
| Keylogging | Records keystrokes including usernames, passwords, and card details |
| SMS interception | Captures incoming SMS messages including 2FA codes |
| On-device fraud | Executes unauthorized transactions directly on the compromised device |
Overlay Attacks¶
TsarBot's primary credential theft mechanism uses overlay attacks targeting over 750 applications. The target list spans regional banking apps from countries including France, Poland, the United Kingdom, India, the UAE, and Australia, along with global cryptocurrency exchanges, e-commerce platforms, and social media applications. When a targeted app launches, TsarBot displays a pixel-perfect fake login page on top of the legitimate app, capturing credentials as the victim enters them.
Lock Grabbing¶
TsarBot includes a LockTypeDetector feature that uses the accessibility service to determine the device's lock type by detecting on-screen text such as "PIN area," "Device password," or pattern indicators. On the first USER_PRESENT broadcast after installation, TsarBot loads a fake lock screen matching the detected lock type and captures the victim's unlock credential. This stolen PIN, password, or pattern enables the operator to unlock the device during remote access sessions.
On-Device Fraud¶
TsarBot can execute fraudulent transactions directly on the victim's device rather than replaying stolen credentials from a separate system. The malware receives approximately 30 commands from the C2 server focused on screen control: simulating gestures, entering text, navigating through banking app workflows, and initiating transfers. During these sessions, TsarBot activates a black overlay screen to hide the activity from the victim, who sees only a dark display and assumes the device is idle.
Technical Details¶
WebSocket C2 Architecture¶
TsarBot's C2 communication is built entirely on WebSocket, distinguishing it from most Android banking trojans that rely on HTTP or HTTPS. The malware connects to the C2 server across four dedicated ports, each serving a specific function.
| Port | Function |
|---|---|
| 9001 | Primary command channel for receiving instructions and sending stolen data |
| 9002 | Screen capture stream transmission |
| 9004 | Overlay attack coordination and injection target delivery |
| 9030 | Additional command and data channel |
This multi-port WebSocket design enables persistent, low-latency bidirectional communication between the malware and the operator, supporting real-time screen streaming and interactive device control required for on-device fraud.
Accessibility Service Abuse¶
TsarBot depends on the Android accessibility service for most of its core functionality. Once the victim grants accessibility permissions, the malware can monitor foreground applications to trigger overlay injections, detect and interact with UI elements for automated fraud, capture keystrokes, determine device lock type, and intercept notifications containing authentication codes.
Screen Capture¶
When the C2 sends the REQUEST_CAPTURE command, TsarBot prompts the victim to grant screen capture permissions. Once authorized, the malware initiates a screen capture service that continuously streams the device's display to the C2 server over port 9002. This gives the operator a live view of the device for monitoring victim activity and guiding on-device fraud sessions.
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Core dependency for overlay triggering, keylogging, screen capture, lock type detection, and remote device control |
| SYSTEM_ALERT_WINDOW | Display overlay injections and black screen during remote sessions |
| READ_SMS | Read incoming SMS for OTP interception |
| RECEIVE_SMS | Intercept SMS in real-time |
| READ_PHONE_STATE | Device fingerprinting |
| INTERNET | WebSocket C2 communication across four ports |
| RECEIVE_BOOT_COMPLETED | Persistence across reboots |
| REQUEST_INSTALL_PACKAGES | Dropper installs main payload |
Target Regions¶
| Region | Targeted Sectors |
|---|---|
| Europe | Banking apps in France, Poland, United Kingdom |
| Asia-Pacific | Banking and finance apps in India, Australia |
| Middle East | Banking apps in the UAE |
| North America | Banking, finance, and crypto apps |
| Global | Cryptocurrency exchanges, e-commerce, social media platforms |
The breadth of TsarBot's target list, spanning six continents and multiple industry verticals from its first observed samples, suggests operators with established infrastructure and the intent to scale rapidly. The inclusion of social media and e-commerce alongside traditional banking targets expands the monetization surface beyond pure financial fraud.
Notable Campaigns¶
March 2025: Cyble publishes the initial discovery of TsarBot. The analysis identifies over 750 targeted applications, documents the WebSocket-based C2 architecture across four ports, and details the overlay injection, lock grabbing, screen recording, and on-device fraud capabilities. Cyble highlights a phishing campaign impersonating the Photon Sol cryptocurrency trading platform as a distribution vector, with the dropper masquerading as Google Play Services.
Related Families¶
TsarBot's overlay attack model follows the pattern established by Cerberus and continued through Ermac, Hook, and Godfather, all of which use fake login pages injected over targeted banking applications. However, TsarBot's WebSocket C2 design is a departure from the HTTP-based approaches used by most of these families.
The on-device fraud capability, where the malware executes transactions directly on the compromised device rather than replaying stolen credentials elsewhere, aligns TsarBot with families like Octo and Hook that also support real-time remote access and interactive device control. The black overlay screen used to conceal fraud sessions is a technique shared with Octo, Hook, and Crocodilus.
TsarBot's lock grabbing via fake lock screens is a technique also employed by TrickMo, which uses a similar HTML-based fake unlock screen to capture device PINs and patterns.