Skip to main content

BankBot is back looking to steal your banking details

(Image credit: Photo Credit:

A major new mobile banking Trojan has been detected hiding in some Google Play apps aiming to steal user’s banking details.

Security pros from Avast are saying they’ve found a new version of BankBot, a malicious mobile Trojan. The bot was hiding in ‘trustworthy flashlight apps’, tricking users into downloading them.

Besides flashlight apps, the Trojan was also spotted in solitaire games and a cleaner app. These apps have also been spreading other kinds of malware, including Mazar and Red Alert.

The goal of these Trojans was to ‘spy on users, collect their bank login details and steal their money’.

Even though Google swiftly removed older versions of apps that carried BankBot from the Play Store, Avast says ‘several versions’ remained active until November 17th.

“This was long enough for the apps to infect thousands of users’, it claims.

The bot’s activities include installing a fake UI that’s laid over the clean banking app.

Nikolaos Chrysaidos, head of mobile threat intelligence & security at Avast, said the bot ‘slipped into Google Play’ in October and November.

“The cyber criminals have been targeting customers of big banks like Wells Fargo, Chase and about 160 other banking apps in the U.S., Latin America, Europe and the Asia Pacific region. Google is often fast at removing malicious programs from Google Play, however the problem is that the apps infected with the BankBot Trojan have been able to bypass Google’s security checks in the first place,” he said.

“It is essential that users install a security app on their phone to protect them from BankBot and other banking Trojans. They should also be vigilant when using their banking app and look for unfamiliar modifications to the app’s interface. Adding an extra layer of security with two-factor authentication at login is also advised, and users should only rely on trusted app stores when downloading apps. Even though the malware slipped into Google Play, its second component, the malware payload, was downloaded from an external source.”

Photo Credit: