Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

Jorge Martínez Taboada

Digital Marketing Manager at buguroo

Views 1130

Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

06.01.2020 11:00 am

BasBanke, also known as Coybot, is a banking malware for Android designed to steal banking credentials from Brazilian entities. It started its malicious activity at the time of the Brazilian elections of October 2018 and has recently reappeared.

The Trojan has targeted Brazilian banking entities since its inception and its attacks have been very intermittent, with new samples appearing fairly infrequently.

After several months of silence, new samples of this Trojan appeared recently that follow the family’s classic behavior. They all have the same functioning, and it is mainly the name of the application and its package identifier that have changed:

Samples detected in recent days 


Although this Trojan’s infection vector has not been identified for sure, if we consider previous versions' infection vectors everything seems to indicate that it could have spread through messages from fake Facebook posts and fake WhatsApp messages.

Taking the names and logos that it uses as a reference, the fake Facebook and WhatsApp publications that may have been used to spread the malware would alert users of a fake update for Android and/or Google Play. In the following image we can see a false window shown by the malware in its first initialization after installation.

Image displayed by the app when launched after installation 


This banking malware follows the same operating scheme as the rest of the banking Trojans for Android, which we have already discussed in previous posts or reports. It asks the user to provide login permissions and runs a service in the background to receive notifications when the user performs any action on the graphical interface.

This way, the malware receives information about the user's activity and the applications in which this activity is taking place.

Code that checks the package identifier of the app open in the foreground

In the above image you can see how the Trojan checks the package identifiers of the application that is running in the foreground. These identifiers arrive thanks to the accessibility service that the malware runs in the background.

We can also observe that this malware tries to hide the strings of the affected entities by encrypting them in Base64 and decrypting them when necessary. This detail does not make analysis by an analyst too difficult, but it can be a problem in the case of automatic analysis systems, since the string is not in a clear text format in the code.

Fake activity is displayed right away when one of the affected apps is opened

Once an affected application is detected, the Trojan displays an Android activity with a login form very similar to the original, with the aim of getting the user to enter their credentials, which are then sent to the control server.

In addition to using Base64 encryption to hide text strings, this malware also includes strings encrypted with AES, which are decrypted at the launch of the application for later use.

Strings encrypted with AES that are decrypted at launch

String decrypting routine

Another interesting detail of this malware is the similarity in one of its HTTP requests with a malware for Windows known as 'Pazera'. One of these requests sends data on the infected device, and it is interesting that this request is made against a PHP script called 'ponto.php', which is the same script that most of the 'Pazera' Trojans connect to in order to send precisely the same information related to the versions of the operating system and the infected system.

Request to 'ponto.php' similar to that of the 'Pazera' Trojans for Windows

This singularity could mean that the authors who are behind this malware could also be the developers of 'Pazera', although the 'Pazera' Trojan for Windows focuses on Latin American entities and this banker for Android only affects Brazilian entities.


Malware for Android is on the rise and every day there are more families of banking Trojans that threaten the users of different banking entities around the world.

The vast majority of current bankers follows the same modus operandi and uses 'overlays' to display a fake window requesting user login credentials. This window is displayed as soon as the official application of the banking entity is launched, making the user think that it is the legitimate application that is requesting the data, which is then stolen.

Taking the popularity and increase of this type of malware for Android into account, we must be alert in order to protect the data and money of the banks' end customers. Moreover, we must bear in mind that malware for Android is able to intercept received text messages, so the second-factor authentication mechanisms based on single-use passwords sent by SMS may not be effective at all. The implementation of other systems such as Behavioral Biometrics that are able to detect whether a user has been impersonated or manipulated throughout the session are really useful to protect the user and their information.

Latest blogs

Simon Cureton Funding Options

Due Diligence Vs Speed: Why It’s Not Either-or When It Comes to SME Lending

The coronavirus pandemic has put the SME lending market under the microscope with extensive debate on how to deliver the right financial support to SMEs at speed. Traditional retail banks usurped fintechs and were gifted the golden CBILs and BBLs Read more »

Keith McGill Equifax UK

Fraud Continues to Rise, but Faster Digitisation Will Bring Benefits

The results of the Cifas report show the changing face of fraud and identity theft across the UK. With a 13% rise in reports to the National Fraud Database from 2018, it’s clear that even before the pandemic struck there were a number of challenges Read more »

Darren Capehorn Icon Solutions

Unbanked and Unconnected: Supporting Financial Inclusion Beyond Digital

Many of us take it for granted, but accessing basic financial services is fundamental to our economic and social development. It is hard to ‘get on’ if you are forced to hide life savings under the mattress, or rely on predatory loan sharks for Read more »

Konstantin Demishev Archer Software

How Machine Learning Helps Fintech Companies Detect Fraud

Machine learning (ML) is one of the most discussed technological tools, and if in the past only a few companies could use it due to high cost and lack of resources, today many industries use ML. The financial sector is not an exception and embraces Read more »

Nish Kotecha Finboot and Bryan Foss, NED, Visiting Professor at Bristol Business School and member of the FRC Audit & Assurance Council

How Listed Companies Can Use Blockchain to Prevent Auditing and Reporting Malpractice and Avoid Scandal

Not too long ago, there was very little to link Wirecard, the disgraced payments platform in Aschheim, Germany, with Boohoo, the fast-fashion online retailer in Leicester, England, but both have recently been embroiled in high-profile scandals. Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel