Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

Jorge Martínez Taboada

Digital Marketing Manager at buguroo

Views 859

Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

06.01.2020 11:00 am

BasBanke, also known as Coybot, is a banking malware for Android designed to steal banking credentials from Brazilian entities. It started its malicious activity at the time of the Brazilian elections of October 2018 and has recently reappeared.

The Trojan has targeted Brazilian banking entities since its inception and its attacks have been very intermittent, with new samples appearing fairly infrequently.

After several months of silence, new samples of this Trojan appeared recently that follow the family’s classic behavior. They all have the same functioning, and it is mainly the name of the application and its package identifier that have changed:

Samples detected in recent days 


Although this Trojan’s infection vector has not been identified for sure, if we consider previous versions' infection vectors everything seems to indicate that it could have spread through messages from fake Facebook posts and fake WhatsApp messages.

Taking the names and logos that it uses as a reference, the fake Facebook and WhatsApp publications that may have been used to spread the malware would alert users of a fake update for Android and/or Google Play. In the following image we can see a false window shown by the malware in its first initialization after installation.

Image displayed by the app when launched after installation 


This banking malware follows the same operating scheme as the rest of the banking Trojans for Android, which we have already discussed in previous posts or reports. It asks the user to provide login permissions and runs a service in the background to receive notifications when the user performs any action on the graphical interface.

This way, the malware receives information about the user's activity and the applications in which this activity is taking place.

Code that checks the package identifier of the app open in the foreground

In the above image you can see how the Trojan checks the package identifiers of the application that is running in the foreground. These identifiers arrive thanks to the accessibility service that the malware runs in the background.

We can also observe that this malware tries to hide the strings of the affected entities by encrypting them in Base64 and decrypting them when necessary. This detail does not make analysis by an analyst too difficult, but it can be a problem in the case of automatic analysis systems, since the string is not in a clear text format in the code.

Fake activity is displayed right away when one of the affected apps is opened

Once an affected application is detected, the Trojan displays an Android activity with a login form very similar to the original, with the aim of getting the user to enter their credentials, which are then sent to the control server.

In addition to using Base64 encryption to hide text strings, this malware also includes strings encrypted with AES, which are decrypted at the launch of the application for later use.

Strings encrypted with AES that are decrypted at launch

String decrypting routine

Another interesting detail of this malware is the similarity in one of its HTTP requests with a malware for Windows known as 'Pazera'. One of these requests sends data on the infected device, and it is interesting that this request is made against a PHP script called 'ponto.php', which is the same script that most of the 'Pazera' Trojans connect to in order to send precisely the same information related to the versions of the operating system and the infected system.

Request to 'ponto.php' similar to that of the 'Pazera' Trojans for Windows

This singularity could mean that the authors who are behind this malware could also be the developers of 'Pazera', although the 'Pazera' Trojan for Windows focuses on Latin American entities and this banker for Android only affects Brazilian entities.


Malware for Android is on the rise and every day there are more families of banking Trojans that threaten the users of different banking entities around the world.

The vast majority of current bankers follows the same modus operandi and uses 'overlays' to display a fake window requesting user login credentials. This window is displayed as soon as the official application of the banking entity is launched, making the user think that it is the legitimate application that is requesting the data, which is then stolen.

Taking the popularity and increase of this type of malware for Android into account, we must be alert in order to protect the data and money of the banks' end customers. Moreover, we must bear in mind that malware for Android is able to intercept received text messages, so the second-factor authentication mechanisms based on single-use passwords sent by SMS may not be effective at all. The implementation of other systems such as Behavioral Biometrics that are able to detect whether a user has been impersonated or manipulated throughout the session are really useful to protect the user and their information.

Latest blogs

John Burgos Mindgate Solutions

Overcoming anxiety around mobile payments & digital payments - In the South Asia Pacific

Innovation and technology usually go hand in hand.  Therefore, for innovation to be fully realized, the technology that enables the innovation must be adopted as well.  During the last 5 years, we have had innovations from Google, Apple, Read more »

Stuart Robertson iDelta

Finance Sector PLCs Hold the Key to Economic Recovery

We have started to see the devastating impact the Coronavirus will have on our economy.  The travel, leisure and hospitality industry redundancies are rapidly mounting up with restaurant and bar owners facing no option but to shut up Read more »

Hirander Misra GMEX Group

Are UK Banks profiting from the current coronavirus crisis and failing SMEs?

A UK business could be eligible for a Coronavirus Business Interruption Loan Scheme (CBILS), as set out by the UK Government. However, it appears that despite the Government’s best intentions, this scheme is not working in practice and some urgent Read more »

Otabek Nuritdinov Safenetpay

A strong fintech needs more than just access to funding

  Investors, both private and institutional, are excited about investing in fintechs that are in the payments services business. What are the issues that really should matter to you, as a client? In 2019, institutional investors Read more »

Martijn Bos Holland FinTech

Get your head up in the clouds, it’s good for business

How Digital Transformation is reshaping competition in financial services The message is clear and it’s coming at us from all sides: digitalize now. No business unit seems to be immune to the onslaught of cloud-based, AI-driven, real-time, Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel