Skip to content

Malware Naming Conventions

There is no universal naming standard for Android malware. Different security vendors independently analyze and name the same malware family, resulting in multiple names for the same threat. This makes cross-referencing research across vendors one of the most tedious parts of mobile threat intelligence.

The Problem

When a new Android banking trojan appears, each vendor that analyzes it assigns their own name. The name usually sticks if the vendor publishes first, but not always. Some vendors never adopt the common name and use their own detection taxonomy indefinitely.

Naming Formats by Vendor Type

AV Engine Detection Names

Traditional antivirus engines use a structured format:

Platform:Type/Family.Variant
Vendor Format Example (Cerberus)
Bitdefender Android.Trojan.Category.XX Android.Trojan.Banker.VT
Dr.Web Android.BankBot.NNNNN Android.BankBot.842
ESET Android/Type.Family.XX Android/Spy.Cerberus.A
Fortinet Android/Family.A!tr Android/Cerberus.A!tr
Kaspersky HEUR:Trojan-Type.AndroidOS.Family.x HEUR:Trojan-Banker.AndroidOS.Cebruser.a
McAfee Android/Family.X Android/Cerberus.A
Trend Micro AndroidOS_Family.VARIANT AndroidOS_Cerberus.HRX
Avast/AVG Android:Family-X [Trj] Android:Cerberus-A [Trj]
Symantec/Broadcom Android.Trojan.Family Trojan.Gen.MBT
Sophos Andr/Family-X Andr/Cerber-A

These names are designed for automated detection, not human communication. They rarely match the research name used in reports. The variant suffix (.A, .B, etc.) increments per sample, not per malware version.

Complete VirusTotal Scanner List

When submitting an Android APK to VirusTotal, these are all the engines that may produce a detection name. Organized by category to help interpret results.

Mobile-Specific Engines

Engine Android Detection Format Notes
AhnLab-V3 Trojan/Android.Banker.NNNNNN Korean AV, strong on Asian malware
Avast-Mobile Android:Family-X [Trj] Mobile-specific scanner, same family names as desktop Avast
BitDefenderFalx Android.Trojan.Family.XX Bitdefender's mobile engine
Symantec Mobile Insight AppRisk:Generisk or family-specific Broadcom's mobile engine, often generic
Trustlook Android.PUA.Family Mobile-focused, behavioral detection

Major AV Engines

Engine Android Detection Format Notes
Avast Android:Family-X [Trj] Shares engine with AVG
AVG Android:Family-X [Trj] Same engine as Avast
Avira (no cloud) ANDROID/Family.XXXXX.X Static-only results on VT
BitDefender Android.Trojan.Family.XX Licensed by many other engines (eScan, GData, Emsisoft)
ClamAV Andr.Trojan.Family-NNNNNNN-0 Open source, often behind on mobile
DrWeb Android.BankBot.NNNNN Uses numeric IDs, hard to cross-reference
ESET-NOD32 Android/Spy.Family.XX Consistent naming, good mobile coverage
Fortinet Android/Family.A!tr Suffix indicates type (!tr = trojan, !spy = spyware)
GData Android.Trojan.Family.XX Uses Bitdefender engine
Kaspersky HEUR:Trojan-Banker.AndroidOS.Family.x Prefix: HEUR (heuristic), UDS (cloud), PDM (behavioral)
Malwarebytes Android/Trojan.Banker.Family Good mobile coverage
McAfee Scanner Artemis!HASH or Android/Family.X "Artemis" = generic cloud detection
Microsoft Trojan:AndroidOS/Family.A!MTB !MTB = machine learning, !ml = cloud ML
Sophos Andr/Family-X Consistent prefix Andr/
Symantec Trojan.Gen.MBT or Android.Reputation.X Often generic, poor family naming
Trellix ENS Artemis!HASH Formerly McAfee Enterprise
TrendMicro AndroidOS_Family.VARIANT Uppercase variant code
TrendMicro-HouseCall AndroidOS_Family.VARIANT Same as TrendMicro
WithSecure Trojan:Android/Family.HASH Formerly F-Secure

EDR / Next-Gen

Engine Android Detection Format Notes
CrowdStrike Falcon AndroidOS.Family.XX Behavioral, often lacks family name
DeepInstinct MALICIOUS Binary verdict, no family name
Elastic Android.Trojan.Family Community rules
Palo Alto Networks generic.ml ML-based, usually no family name
SentinelOne (Static ML) Static AI - Malicious APK Binary verdict
Skyhigh (SWG) BehavesLike.AndroidOS.Malware.xx Behavioral prefix
TEHTRIS Generic verdict No family names
Trapmine Generic verdict No family names

Regional Engines

Engine Region Android Detection Format
Alibaba China TrojanBanker:Android/Family.HASH
AliCloud China TrojanBanker:Android/Family
Antiy-AVL China Trojan/Android.Banker.family
Baidu China Android.Trojan.Bank.XX
Huorong China Android/Family.X
Jiangmin China TrojanBanker.AndroidOS.xx
Kingsoft China Android.Troj.Family.x
Rising China Trojan.Banker/Android!version
Tencent China A.privacy.family.x
AhnLab-V3 Korea Trojan/Android.Family.NNNNNN
ALYac Korea Trojan.Android.Family
ViRobot Korea Android.Family.X
TACHYON Korea Trojan-Android/Family
Bkav Pro Vietnam Android.Trojan.Family
K7AntiVirus India Trojan (XXXXXXXXXX)
K7GW India Trojan (XXXXXXXXXX)
QuickHeal India Android.Family.GEN
Ikarus Austria Trojan-Banker.AndroidOS.Family
Zillya Ukraine Trojan.Banker.Android.NNNNN

Other Engines

Engine Notes
Acronis (Static ML) ML-based, generic verdicts
Arcabit Uses Bitdefender engine
CMC Vietnam, limited mobile coverage
CTX Generic detections
Cynet Network-focused
eScan Uses Bitdefender engine
Emsisoft Uses Bitdefender engine
Google Google Play Protect verdict
Gridinsoft (no cloud) Limited mobile coverage
Lionic Limited mobile coverage
MaxSecure Limited mobile coverage
NANO-Antivirus Russian, numeric detection names
Panda Android/Family
Sangfor Engine Zero Network security vendor
SecureAge ML-based
SUPERAntiSpyware Limited mobile coverage
Arctic Wolf MDR vendor
Varist AndroidOS/Family
VBA32 Belarusian, limited mobile
VIPRE Uses Bitdefender engine
VirIT Italian, limited mobile
Webroot Cloud-based, hash verdicts
Xcitium Formerly Comodo
Yandex Russian, Trojan.AndroidOS.Family
ZoneAlarm by Check Point Uses Check Point engine
Zoner Czech, limited mobile

Interpreting VirusTotal Results for Android

When analyzing an APK on VirusTotal:

  • High detection count with varied family names: the engines disagree on the family. Check ThreatFabric, ESET, and Kaspersky names first as they have the best Android coverage.
  • "Artemis" or hash-based names: McAfee/Trellix detected it generically via cloud ML. No family attribution.
  • "Trojan.Gen.MBT" or "Android.Reputation": Symantec generic detection. No useful family info.
  • "Static AI" or "MALICIOUS": next-gen engines (SentinelOne, DeepInstinct) flagged it but provide no family name.
  • Chinese engine cluster agrees: Tencent, Alibaba, Baidu, Huorong tend to share signatures. If they all name a family, it's worth checking.
  • Only 2-3 engines detect it: either new/zero-day sample, or the sample is packed/obfuscated. Check the "Details" tab for packer detection.
  • Bitdefender family detected: eScan, GData, Emsisoft, VIPRE, Arcabit all license Bitdefender's engine, so they'll show the same or similar detection. Don't count them as independent confirmations.

Research/Threat Intel Names

Threat intelligence firms assign proper names used in reports and blog posts:

Vendor Naming Style Examples
ThreatFabric Mythological, original Cerberus, Hydra, Medusa, Anatsa, Hook, Vultur, Xenomorph, Octo
Cleafy Uses ThreatFabric names or coins their own Copybara, PixPirate, ToxicPanda, SharkBot, BRATA
Group-IB Original names Gustuff, GodFather, GoldDigger
Kaspersky Descriptive or campaign-based Roaming Mantis, Harly, SilentFade
ESET Descriptive or abbreviated FurBall, FinSpy (uses "FinSpy" not FinFisher)
McAfee Descriptive, often uses common name Uses widely-adopted names in blogs, detection names differ
Proofpoint Sometimes coins alternatives TangleBot (= Medusa)
Cyble Uses common names, occasionally original Generally adopts existing names from first publisher
Zimperium Original names for their discoveries GriftHorse, Dark Herring, RatMilad
Lookout Original or common names Pegasus (Chrysaor for Android), Hermit
Citizen Lab Uses vendor names Pegasus, Predator

Google's Naming

Google uses its own taxonomy in Android security bulletins and Play Protect communications:

  • Internal tracking IDs not disclosed publicly
  • Blog posts use generic descriptions ("potentially harmful application" / PHA)
  • Google's Android Security team sometimes adopts research names in public talks
  • Android security bulletins reference CVEs, not malware family names
  • Google TAG (Threat Analysis Group) uses vendor names when discussing commercial spyware: Pegasus, Predator, Hermit

Cross-Vendor Name Mapping

The following table maps the most commonly used name to the names used by major AV vendors and research firms. This is the single most useful reference for cross-referencing threat reports.

Banking Trojans

Common Name McAfee Kaspersky ESET Trend Micro Bitdefender Fortinet Symantec
Albiriox - Trojan-Banker.AndroidOS.Albiriox - - Android.Trojan.Banker - -
Antidot - Trojan-Banker.AndroidOS.Antidot - - Android.Trojan.Banker - -
Anubis Android/Anubis Trojan-Banker.AndroidOS.Anubis Android/Spy.Banker.BSI AndroidOS_Anubis Android.Trojan.Banker Android/Anubis Trojan.Gen.MBT
Anatsa Android/Anatsa Trojan-Banker.AndroidOS.Anatsa Android/Spy.Banker.BJK AndroidOS_TeaBot Android.Trojan.Banker Android/Anatsa Android.Reputation.1
BankBot Android/BankBot Trojan-Banker.AndroidOS.Agent Android/Spy.Banker AndroidOS_BankBot Android.Trojan.Banker Android/Agent Trojan.Gen
Cerberus Android/Cerberus Trojan-Banker.AndroidOS.Cebruser Android/Spy.Cerberus AndroidOS_Cerberus Android.Trojan.Banker.VT Android/Cerberus Trojan.Gen.MBT
Ermac Android/Ermac Trojan-Banker.AndroidOS.Ermac Android/Spy.Banker AndroidOS_Ermac Android.Trojan.Banker Android/Ermac Trojan.Gen.MBT
GodFather Android/GodFather Trojan-Banker.AndroidOS.Godfather Android/Spy.Banker AndroidOS_GodFather Android.Trojan.Banker Android/GodFather Trojan.Gen
Hook Android/Hook Trojan-Banker.AndroidOS.Hook Android/Spy.Hook AndroidOS_Hook Android.Trojan.Banker Android/Hook Trojan.Gen.MBT
Hydra Android/Hydra Trojan-Banker.AndroidOS.Piom Android/Spy.Banker.BRR AndroidOS_Hydra Android.Trojan.Banker Android/Hydra Trojan.Gen.MBT
Medusa Android/Medusa Trojan-Banker.AndroidOS.Medusa Android/Spy.Banker AndroidOS_Medusa Android.Trojan.Banker Android/Medusa Trojan.Gen
Octo Android/Octo Trojan-Banker.AndroidOS.Coper Android/Spy.Agent.CLR AndroidOS_Coper Android.Trojan.Banker Android/Coper Trojan.Gen.MBT
SharkBot Android/SharkBot Trojan-Banker.AndroidOS.Sharkbot Android/Spy.Banker AndroidOS_SharkBot Android.Trojan.Banker Android/SharkBot Trojan.Gen
Vultur Android/Vultur Trojan-Banker.AndroidOS.Vultur Android/Spy.Banker AndroidOS_Vultur Android.Trojan.Banker Android/Vultur Trojan.Gen.MBT
BingoMod - Trojan-Banker.AndroidOS.BingoMod - - Android.Trojan.Banker - -
BlankBot - Trojan-Banker.AndroidOS.BlankBot - - Android.Trojan.Banker - -
Brokewell - Trojan-Banker.AndroidOS.Brokewell - - Android.Trojan.Banker - -
Crocodilus - Trojan-Banker.AndroidOS.Crocodilus - - Android.Trojan.Banker - -
GoldPickaxe - Trojan-Banker.AndroidOS.GoldPickaxe Android/Spy.GoldPickaxe - Android.Trojan.Banker - -
Herodotus - Trojan-Banker.AndroidOS.Herodotus - - Android.Trojan.Banker - -
Klopatra - Trojan-Banker.AndroidOS.Klopatra - - Android.Trojan.Banker - -
NGate - - Android/NGate - - - -
RatOn - Trojan-Banker.AndroidOS.RatOn - - - - -
Sturnus - Trojan-Banker.AndroidOS.Sturnus - - - - -
TrickMo - Trojan-Banker.AndroidOS.TrickMo - - Android.Trojan.Banker - -
TsarBot - Trojan-Banker.AndroidOS.TsarBot - - Android.Trojan.Banker - -
Xenomorph Android/Xenomorph Trojan-Banker.AndroidOS.Xenomorph Android/Spy.Banker AndroidOS_Xenomorph Android.Trojan.Banker Android/Xenomorph Trojan.Gen

Fraud and SMS

Common Name McAfee Kaspersky ESET Trend Micro
Joker Android/Joker Trojan.AndroidOS.Joker Android/Joker AndroidOS_Joker
FluBot Android/FluBot Trojan-Banker.AndroidOS.Cabassous Android/TrojanDropper.Agent AndroidOS_FluBot
Harly Android/Harly Trojan.AndroidOS.Harly Android/Joker AndroidOS_Harly
GriftHorse Android/GriftHorse Trojan.AndroidOS.GriftHorse Android/Agent AndroidOS_GriftHorse

Regional Banking Trojans

Common Name McAfee Kaspersky ESET Region
Fakecalls Android/Fakecalls Trojan-Banker.AndroidOS.Fakecalls Android/Spy.Banker.Fakecalls South Korea
FluHorse - Trojan-Banker.AndroidOS.FluHorse - East Asia (Taiwan, Vietnam)
Gigabud - Trojan-Banker.AndroidOS.Gigabud - Southeast Asia
Frogblight - Trojan-Banker.AndroidOS.Frogblight Android/Spy.Banker.Frogblight Turkey
Mamont - Trojan-Banker.AndroidOS.Mamont Android/Spy.Banker.Mamont Russia
MoqHao Android/MoqHao Trojan-Banker.AndroidOS.Wroba Android/TrojanDropper.Agent East Asia
SoumniBot Android/Banker.SoumniBot Trojan-Banker.AndroidOS.SoumniBot - South Korea
DeVixor - Trojan-Banker.AndroidOS.DeVixor - Iran
Zanubis Android/Zanubis Trojan-Banker.AndroidOS.Zanubis Android/Spy.Banker.Zanubis Peru

Crypto Stealers and SDK Malware

Common Name McAfee Kaspersky ESET Type
Goldoson Android/Goldoson AdWare.AndroidOS.Goldoson - Malicious SDK
Necro Android/Necro Trojan-Downloader.AndroidOS.Necro Android/TrojanDownloader.Necro Supply chain
SparkCat Android/SparkCat Trojan.AndroidOS.SparkCat Android/Spy.SparkCat OCR crypto stealer
SpyAgent Android/SpyAgent Trojan-Spy.AndroidOS.SpyAgent - OCR crypto stealer
SpyLoan Android/SpyLoan Trojan.AndroidOS.SpyLoan Android/SpyLoan Predatory lending

Spyware

Common Name McAfee Kaspersky ESET Also Known As
Mandrake Android/Mandrake Trojan-Spy.AndroidOS.Mandrake Android/Spy.Mandrake -
Pegasus Android/Pegasus Trojan-Spy.AndroidOS.Pegasus Android/Spy.Chrysaor Chrysaor (Android variant)
Predator Android/Predator Trojan-Spy.AndroidOS.Predator Android/Spy.Agent Alien (loader component)
FinSpy Android/FinSpy Trojan-Spy.AndroidOS.FinSpy Android/Spy.FinSpy FinFisher, FinSpy Mobile
Hermit Android/Hermit Trojan-Spy.AndroidOS.Hermit Android/Spy.Agent RCS Android
SpyNote Android/SpyNote Trojan-Spy.AndroidOS.SpyNote Android/Spy.SpyNote SpyMax, CypherRat
KoSpy - Trojan-Spy.AndroidOS.KoSpy - APT37/ScarCruft spyware
AridSpy - Trojan-Spy.AndroidOS.AridSpy Android/Spy.AridSpy Arid Viper/APT-C-23
GuardZoo - Trojan-Spy.AndroidOS.GuardZoo - Modified Dendroid RAT
LightSpy - Trojan-Spy.AndroidOS.LightSpy Android/Spy.LightSpy DragonEgg (Lookout), WyrmSpy (related)
EagleMsgSpy - - - Wuhan Chinasoft Token lawful intercept
BoneSpy - Trojan-Spy.AndroidOS.BoneSpy - DroidWatcher derivative, Sandcat
PlainGnome - Trojan-Spy.AndroidOS.PlainGnome - Sandcat, companion to BoneSpy
DCHSpy - Trojan-Spy.AndroidOS.DCHSpy - MuddyWater/MOIS surveillanceware
FireScam - Trojan-Spy.AndroidOS.FireScam - Fake RuStore/Telegram Premium
PJobRAT - Trojan-Spy.AndroidOS.PJobRAT - -
Rafel RAT - Trojan-Spy.AndroidOS.RafelRAT - Open-source RAT
BTMOB RAT - Trojan-Spy.AndroidOS.BTMob - CraxRAT/SpySolr lineage, MaaS RAT

Common Confusion Cases

Families that are frequently confused due to overlapping names, shared code, or vendor disagreements:

Usually Called Also Known As Actual Relationship
Anatsa TeaBot Same family. ThreatFabric named it Anatsa, other researchers called it TeaBot.
Alien Cerberus v2 Distinct fork. Built on Cerberus code but with significant additions. Not merely a version update.
Ermac Cerberus v3 Distinct fork by DukeEugene. Shares Cerberus DNA but different operator and added features.
Hook Ermac v3 Evolution. DukeEugene marketed it as new, but ThreatFabric proved it contains all Ermac code plus new commands.
Octo ExobotCompact, Coper Same lineage. Exobot (2016) -> ExobotCompact (2021) -> Coper -> Octo (2022) -> Octo2 (2024).
Hydra BianLian Distinct families. Hydra was initially tracked alongside a dropper called BianLian (not the ransomware group).
Medusa TangleBot Same family. ThreatFabric named it Medusa, Proofpoint called it TangleBot.
BRATA AmexTroll Same lineage. BRATA rebranded/evolved, AmexTroll is a later variant.
Copybara BRATA v3 Related but distinct. Evolved from BRATA codebase, but Cleafy tracked it as separate.
Cabassous FluBot Same family. Kaspersky's detection name (Cabassous) vs common research name (FluBot).
Cebruser Cerberus Same family. Kaspersky detection name is "Cebruser" instead of "Cerberus".
Piom Hydra Same family. Kaspersky's detection name for Hydra samples.
Wroba MoqHao Same family. Kaspersky uses "Wroba," McAfee uses "MoqHao," campaign tracked as "Roaming Mantis."
XLoader MoqHao Same family. Some vendors use XLoader for MoqHao/Wroba variants.
Frogblight Coper variant? Possible relationship. Kaspersky notes possible connection to Coper/Octo lineage.
GoldPickaxe GoldDigger Related but distinct. GoldFactory group operates GoldDigger, GoldPickaxe (Android + iOS), and Gigabud. GoldPickaxe adds facial biometric theft.
Gigabud GoldDigger, Gigaflower Same GoldFactory group. Shares code (libstrategy.so) and Virbox packer with GoldDigger. Gigaflower is a pre-release successor.
LightSpy DragonEgg, WyrmSpy DragonEgg is Lookout's name for the Android variant. ThreatFabric linked it to LightSpy iOS. WyrmSpy may be a related successor.
BoneSpy Gamaredon mobile Initially attributed to Gamaredon (FSB), reattributed to Sandcat (Uzbekistan SSS).
BingoMod BRATA variant? Behavioral similarity (post-fraud device wipe) but independent codebase per Cleafy analysis.
NGate NFCGate NGate uses the NFCGate academic tool for NFC relay. NFCGate itself is a legitimate security research tool.
TrickMo TrickBot mobile Originally a companion to TrickBot desktop trojan. The 2024 resurgence operates independently with no TrickBot dependency.
Antidot AppLite AppLite is an Antidot variant (Zimperium naming) targeting corporate employees. Same family, different distribution strategy.

How to Cross-Reference

Online Resources

  • Malpedia maintains a malware reference database with aliases across vendors
  • MISP Galaxy provides structured threat intelligence clusters with cross-vendor mapping
  • VirusTotal shows detection names from 60+ AV engines for any sample
  • MITRE ATT&CK Software lists known aliases for documented malware families
  • bazaar.abuse.ch malware sample database with multi-vendor tagging

By Indicator

When vendor names don't match, correlate by:

Indicator Method
C2 infrastructure Same C2 domains/IPs across reports from different vendors
Code overlap Shared class names, string constants, obfuscation patterns
Certificate Same signing certificate across samples
Package name patterns Similar package naming schemes (e.g., com.xyz.abc patterns)
Botnet panel Same C2 panel framework (often leaked or reused)
String artifacts Unique strings, error messages, or debug output
Network protocol Identical C2 protocol structure, encryption methods, API endpoints

Practical Workflow

When you encounter an unfamiliar name in a report:

  1. Search Malpedia for the name to find aliases
  2. Check the vendor's detection name format against the tables above
  3. Search VirusTotal for a known sample hash from the report, check other vendor names
  4. Look for C2 infrastructure overlap with known families
  5. Check this page's confusion cases table

Lineage and Code Reuse

Android malware families frequently share code. Understanding why helps predict capability overlap.

Reason Example
Source code leak Cerberus leaked September 2020, spawned Alien, Ermac, Hook
Source code leak Anubis leaked after developer arrest, code reused in GodFather
Source code leak SpyNote v6.4 leaked, thousands of operators globally
MaaS rebranding Same operator sells under new name: Ermac -> Hook (both DukeEugene)
Developer overlap Same developers work on multiple projects across families
Direct evolution Exobot -> ExobotCompact -> Coper -> Octo -> Octo2
Regional adaptation BRATA (Brazil) -> Copybara (Italy)
Feature fork TgToxic (SE Asia) -> ToxicPanda (EU/LATAM)

This means "family" boundaries are often blurry. Two samples with different names may share 80% of their code. The Families section documents these relationships for each family.