Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

Jorge Martínez Taboada

Digital Marketing Manager at buguroo

Views 559

Banking malware in android continues to grow. A look at the recent brazilian banking Trojan Basbanke/Coybot

06.01.2020 11:00 am

BasBanke, also known as Coybot, is a banking malware for Android designed to steal banking credentials from Brazilian entities. It started its malicious activity at the time of the Brazilian elections of October 2018 and has recently reappeared.

The Trojan has targeted Brazilian banking entities since its inception and its attacks have been very intermittent, with new samples appearing fairly infrequently.

After several months of silence, new samples of this Trojan appeared recently that follow the family’s classic behavior. They all have the same functioning, and it is mainly the name of the application and its package identifier that have changed:

Samples detected in recent days 


Although this Trojan’s infection vector has not been identified for sure, if we consider previous versions' infection vectors everything seems to indicate that it could have spread through messages from fake Facebook posts and fake WhatsApp messages.

Taking the names and logos that it uses as a reference, the fake Facebook and WhatsApp publications that may have been used to spread the malware would alert users of a fake update for Android and/or Google Play. In the following image we can see a false window shown by the malware in its first initialization after installation.

Image displayed by the app when launched after installation 


This banking malware follows the same operating scheme as the rest of the banking Trojans for Android, which we have already discussed in previous posts or reports. It asks the user to provide login permissions and runs a service in the background to receive notifications when the user performs any action on the graphical interface.

This way, the malware receives information about the user's activity and the applications in which this activity is taking place.

Code that checks the package identifier of the app open in the foreground

In the above image you can see how the Trojan checks the package identifiers of the application that is running in the foreground. These identifiers arrive thanks to the accessibility service that the malware runs in the background.

We can also observe that this malware tries to hide the strings of the affected entities by encrypting them in Base64 and decrypting them when necessary. This detail does not make analysis by an analyst too difficult, but it can be a problem in the case of automatic analysis systems, since the string is not in a clear text format in the code.

Fake activity is displayed right away when one of the affected apps is opened

Once an affected application is detected, the Trojan displays an Android activity with a login form very similar to the original, with the aim of getting the user to enter their credentials, which are then sent to the control server.

In addition to using Base64 encryption to hide text strings, this malware also includes strings encrypted with AES, which are decrypted at the launch of the application for later use.

Strings encrypted with AES that are decrypted at launch

String decrypting routine

Another interesting detail of this malware is the similarity in one of its HTTP requests with a malware for Windows known as 'Pazera'. One of these requests sends data on the infected device, and it is interesting that this request is made against a PHP script called 'ponto.php', which is the same script that most of the 'Pazera' Trojans connect to in order to send precisely the same information related to the versions of the operating system and the infected system.

Request to 'ponto.php' similar to that of the 'Pazera' Trojans for Windows

This singularity could mean that the authors who are behind this malware could also be the developers of 'Pazera', although the 'Pazera' Trojan for Windows focuses on Latin American entities and this banker for Android only affects Brazilian entities.


Malware for Android is on the rise and every day there are more families of banking Trojans that threaten the users of different banking entities around the world.

The vast majority of current bankers follows the same modus operandi and uses 'overlays' to display a fake window requesting user login credentials. This window is displayed as soon as the official application of the banking entity is launched, making the user think that it is the legitimate application that is requesting the data, which is then stolen.

Taking the popularity and increase of this type of malware for Android into account, we must be alert in order to protect the data and money of the banks' end customers. Moreover, we must bear in mind that malware for Android is able to intercept received text messages, so the second-factor authentication mechanisms based on single-use passwords sent by SMS may not be effective at all. The implementation of other systems such as Behavioral Biometrics that are able to detect whether a user has been impersonated or manipulated throughout the session are really useful to protect the user and their information.

Latest blogs

Rowland Park Limeglass Ltd

Financial Research Innovation: the Next Information Advantage

An information advantage has become one of the most important competitive edges in the financial markets today. Receiving the right data, faster than competitors, is a significant driver of performance. However, while firms invested over $50 billion Read more »

Hamza Khan Suburbia

The Race for Alternative Data

'Data is the new oil.’ It’s a dramatic statement – and certainly a contentious one. Just as one publication makes the case for it, another rubbishes the concept. The first argument points out that data is becoming the world’s most valuable resource Read more »

n/a n/a

4 things to consider when expanding your home business in L.A

Running a home business has many merits. The days of leaving the house at stupid o’ clock in a bid to avoid the busy Los Angeles rush hour traffic are a thing of the past. You are your own boss and can pretty much do as you please. If you are Read more »

Suresh Vaghjiani Tribe Payments

Comment on the news of VISA acquiring Plaid from Suresh Vaghjiani, CEO and Co-Founder of Tribe Payments

“VISA acquiring fintech behemoth Plaid shows established financial organisations have recognised the API-driven financial data sharing space has been underserved. In the post-Open Banking era, as banks and fintechs look to shift from transaction to Read more »

Lina Andolf-Orup Fingerprints

Finger on the Pulse! Waving goodbye to a big year for biometrics

After years of predictions and goals set for “2020”, it feels quite surreal to have finally welcomed in the year that once felt so futuristic. And what a pivotal decade the “teens” have been for the world of biometrics! But before we share our 2 Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel