Fraud

Marcher Gets Close to Users by Targeting Mobile Banking, Android Apps, Social Media, and Email

Marcher targets focused on European, Australian, and Latin American banks, along with PayPal, eBay, Facebook, WhatsApp, Viber, Gmail, and Yahoo—all in the month of March.
April 07, 2017
11 min. read

Introduction

Marcher is an Android banking Trojan, first detected in 2013, that continually evolves to stay active. The longevity and evolution of this malware is not surprising, given that mobile banking malware is the quickest and easiest way to grab money from victims. In fact, the mobile banking malware market is so hot, it grew 400% in 2016, 81% of which targeted Android phones.1 That growth is somewhat expected since Android, with over 24,000 implementations, is the most popular smartphone operating system.2 That is a huge number of devices to test and secure, made more difficult by the fact that most Android phones are behind in critical patches and thus are more vulnerable to attack.3 As with any malware campaign, attackers must continually evolve to evade detection of their C&C servers and keep the cash flowing.

Marcher inspects its infected devices carefully by using a dedicated, hard-coded configuration in each Android Package Kit (APK), Google’s file format for distributing and installing application software (like mobile banking apps) on the Android OS. Each APK has the ability to target different financial institutions in specific geographical locations.

F5 research conducted in March 2017 followed 153 Marcher configuration files to uncover target and activity trends in the worldwide attack campaigns. Among the 153 configuration files, 54 distinct command and control (C&C) servers were detected. Of the 54 distinct C&C servers, 12 of them were online and operational (until F5 had them shut down in March), 10 were sink-holed, and 32 were already offline. The remaining 99 C&C servers were duplicated configurations from different APKs. This is likely due to configuration files being hardcoded within the APK, and old spam campaigns infecting different users, thus, old configurations still being detected in the wild.

 

Figure 1: Marcher configuration status (left) and status of distinct C&C servers (right) as of March 2017

Figure 1: Marcher configuration status (left) and status of distinct C&C servers (right) as of March 2017

Global View of March Targets

Analyzing the newest configuration files, Marcher’s March targets primarily focused on banks in Europe, followed by Australia, and then Latin America. Only 2% of targets were in North America. The targets within these regions were all banks, as well as their Android mobile banking apps available for download in the Google Play Store. Australia had one exception where an online classified ad site called Gumtree was targeted. The 7% “Global” are application and platform targets that are used worldwide such as the Android platform, social network companies like Facebook, email providers like Yahoo and Gmail, the WhatsApp and Viber messaging apps, PayPal, and eBay. (See target domain details driving these geographical breakdowns in the Marcher Targets section and Appendix A.)

 

Figure 2: Marcher targets by regions in March 2017

Figure 2: Marcher targets by regions in March 2017

 

The following map shows the specific countries within the regions above that were targeted. The banks within those countries are detailed in Appendix A.

 

Figure 3: Marcher-targeted countries, March 2017

Figure 3: Marcher-targeted countries, March 2017

Campaigns and Targets

The common pattern in the latest configuration was distinct and repeated subfolders in the C&C details, such as 012, THREEHADFOUND, or jadafire. We classified the current online campaigns via these subfolder identifications as follows:

  • 012 campaigns spanned different geolocations in one campaign targeting Germany, Poland, Austria, and Australia
  • jadafire campaigns target Austrian and German banks, as well as social network apps globally
  • MANUNIT campaigns targeting German banks specifically
  • balls51 campaigns target banks in Austria, Germany, Argentina, UK, Colombia, Peru, and Mexico
  • THREEHADFOUND campaigns targeting German banks specifically
  • MUCHTHENWERESTO campaigns targeting German and Czech Republic banks
  • moon campaigns targeting Australian banks specifically
  • TRUELESSCARBLAC campaigns target German and Austrian banks
  • angelkelly campaigns target banks in UK, Germany, and France
  • QUESTIONROADFAR campaigns target French banks as well as social network apps globally

C&C Servers Detected

In the following table, we’ve listed the 54 distinct C&C servers detected, 63% of which were using HTTPS. While monitoring Marcher activity in March, F5 researchers shut down 12 malicious C&C servers that were detected.

 

No. C&C Server Status
1 hxxp://stionguz.com/012/ Sinkholed
2 hxxp://asdhjfd24.ru/mail/ Offline
3 hxxp://propsyours.com/012 Sinkholed
4 hxxp://ausrusot.net/012 Sinkholed
5 hxxp://albumwink.net/012/ Sinkholed
6 hxxp://toddypross.net/012 Sinkholed
7 hxxp://aflyatok.men/012 Offline – shut down in March 2017 by F5 researchers
8 hxxp://samiy.site/012/ Offline – shut down in March 2017 by F5 researchers
9 hxxp://chaldear.com/012/ Sinkholed
10 hxxp://glennuniat.com/012/ Sinkholed
11 hxxp://joguce.info/012/ Offline – shut down in March 2017 by F5 researchers
12 hxxp://ciorrigh.info/012/ Offline – shut down in March 2017 by F5 researchers
13 hxxp://policywings.bid/012/ Offline – shut down in March 2017 by F5 researchers
14 hxxp://wigthsingls.bid/012/ Offline
15 hxxp://limesysleys.bid/012/ Offline – shut down in March 2017 by F5 researchers
16 hxxp://namessheds.bid/012/ Offline – shut down in March 2017 by F5 researchers
17 hxxp://bastebirk.com/012/ Sinkholed
18 hxxp://shapewhisk.com/012/ Sinkholed
19 hxxp://ahongdeash.net/012/ Sinkholed
20 hxxp://nsdas213123aa.ru/at/ Redirecting to RevDl.com
21 hxxps://soldatenccarmytriptheleader.at/jadafire/ Offline
22 hxxps://fisttheexo.at/jadafire/ Offline
23 hxxps://soldatenccarmythegaynation.at/jadafire/ Offline
24 hxxps://soldatenccarmy.at/jadafire/ Offline
25 hxxps://exofisty.at/jadafire/ Offline
26 hxxps://soldatenccarmygoldenshower.at/jadafire/ Offline
27 hxxps://consulting-center-performace.com/MANYUNIT/ Offline
28 hxxps://grapfix-desgin-ltd24.at/MANYUNIT/ Offline
29 hxxps://service-consultiong-ltd-spain.net/MANYUNIT/ Offline
30 hxxps://soulreaver.at/balls51/ Offline – shut down in March 2017 by F5 researchers
31 hxxps://divingforpearls.at/balls51/ Offline
32 hxxps://olimpogods.at/balls51/ Offline
33 hxxps://176.119.28.74/balls51/ Offline – shut down in March 2017 by F5 researchers
34 hxxps://nvah2p123.org/THREEHADFOUND/ Offline
35 hxxps://nvoa324.net/THREEHADFOUND/ Offline
36 hxxps://brkleo34.org/THREEHADFOUND/" Offline
37 hxxps://app01.at/MUCHTHENWERESTO/ Offline
38 hxxps://app12.at/MUCHTHENWERESTO/ Offline
39 hxxps://ap11.at/MUCHTHENWERESTO/ Offline
40 hxxps://droidgrades.top/moon/ Offline – 404
41 hxxps://droidgrades.us/moon/ Offline – 404
42 hxxps://droidsg.pw/moon/ Offline – 404
43 hxxps://wasdashehe.net/TRUELESSCARBLAC/ Offline – shut down in March 2017 by F5 researchers
44 hxxps://wasdashehe.at/TRUELESSCARBLAC/ Offline – shut down in March 2017 by F5 researchers
45 hxxps://wasdashehe.com/TRUELESSCARBLAC/ Offline – shut down in March 2017 by F5 researchers
46 hxxp://45.32.240.33/1f/l/ Offline
47 hxxps://track-google.at/angelkelly/ Offline – 404
48 hxxps://trackgoogle.at/angelkelly/ Offline – 404
49 hxxps://secure-ingdirect.top/QUESTIONROADFAR/ Offline
50 hxxps://playsstore.net/QUESTIONROADFAR/ Offline
51 hxxps://playsstore.mobi/QUESTIONROADFAR/ Offline
52 hxxps://i-app4.online/MUCHTHENWERESTO/ Offline
53 hxxps://i-app5.online/MUCHTHENWERESTO/ Offline
54 hxxps://i-app1.online/MUCHTHENWERESTO/ Offline
Table 1: C&C servers and their statuses, March 2017

 

The 12 C&C servers that F5 shut down in March were associated with three campaigns—012, balls51, and TRUELESSCARBLAC—that primarily targeted banks in Europe. 012 was the most active campaign targeting German, Polish, Austrian, and Australian banks, followed by TRUELESSCARBLAC that also targeted German and Polish banks. The balls51 campaign targeted Austrian, German, and UK banks, as well as Latin American banks in Mexico, Argentina, Colombia, and Peru.

 

Figure 4: 12 Marcher campaigns running on 12 active C&C servers taken down in March 2017

Figure 4: 12 Marcher campaigns running on 12 active C&C servers taken down in March 2017
 

Marcher Targets

We detected 172 targeted domains in March 2017. As expected, the majority (93%) were banks. A smaller but interesting portion of the targets were email providers like Yahoo and Gmail, social network and messaging apps like Facebook, Viber, and WhatsApp, and Gumtree, an Australian online classified ad app.

 

Figure 5: Marcher targets by industry
 

Most of Marcher’s domain targets are Google Play Store links where customers download the Android mobile app. In turn, most of the Google Play downloads are banking apps, but Marcher is also targeting Facebook, Viber, WhatsApp, Gmail, HTC, and Yahoo Android apps. (Yahoo, with 81 webinjects, is the biggest target outside of banks. See webinject target explanations below.) In most cases, Marcher targets a bank’s main site, mobile site, and Google Play Store Android app download collectively. (See details in Appendix A.)

 

Figure 6: Marcher domain targets by Google Play Store versus bank site directly
 

The top 5 countries whose banks were targeted included Germany, Australia, France, Turkey, and Austria. The “Global” definition applies to PayPal and eBay versus the majority of Marcher’s targets that go after specific banks in specific countries.

 

Figure 7: Targeted banks by country
 

Several banking groups were targeted across multiple countries, including the ING Group in Austria, Australia, France, and Germany; the Santander Group across Europe and Latin America; and the Sparkasse Group throughout Germany and Austria.

Target Domain Domain Owner Target Country
ingdirect.com.au ING Direct Australia
au.com.ingdirect.android ING Direct (Android App via Google Play) Australia
com.IngDirectAndroid ING Direct France (Android App via Google Play) France
banking.ing-diba.de ING-DiBa Germany
banking.ing-diba.at ING-DiBa Austria
com.ing.diba.mbbr2 ING-DiBa (Android App via Google Play) Germany
de.ing_diba.kontostand ING-DiBa Kontostand (Android App via Google Play) Germany
securebank.santander.de Santander Germany
mx.bancosantander.supermovil Santander Mexico
uk.co.santander.santanderUK Santander UK
mobile.santander.de Santander (Android App via Google Play) Germany
com.santander.app Santander (Android App via Google Play) Spain
cl.santander.smartphone Santander Chile (Android App via Google Play) Chile
ar.com.santander.rio.mbanking Santander Rio Argentina
netbanking.sparkasse.at Sparkasse Austria
m.netbanking.sparkasse.at Sparkasse Austria
com.starfinanz.smob.android.sbanking Sparkasse (Android App via Google Play) Germany
com.starfinanz.smob.android.sfinanzstatus Sparkasse (Android App via Google Play) Germany
banking.berliner-sparkasse.de Sparkasse Berliner Germany
bankingportal.sparkasse-bielefeld.de Sparkasse Bielefeld Germany
bankingportal.sparkasse-bochum.de Sparkasse Bochum Germany
bankingportal.sparkasse-dortmund.de Sparkasse Dortmund Germany
bankingportal.sparkasse-duisburg.de Sparkasse Duisburg Germany
bankingportal.frankfurter-sparkasse.de Sparkasse Frankfurter Germany
banking.sparkasse-hannover.de Sparkasse Hannover Germany
bankingportal.sparkasse-koelnbonn.de Sparkasse Koelnbonn Germany
banking.sparkasse-leipzig.de Sparkasse Leipzig Germany
banking.sparkasse-leipzig.de Sparkasse Leipzig Germany
banking.sparkasse-muensterland-ost.de Sparkasse Muensterland Germany
portal.sparkasse-nuernberg.de Sparkasse Nuernberg Germany

Table 2: Banking groups targeted across multiple countries

 

What’s also notable in terms of targets is how many webinjects the Marcher authors created for a particular banking institution. This is a direct indicator of the high priority the authors placed on certain banks. Table 3 represents the top 25 targeted URLs. These are all banks that were targeted directly (rather than their respective Android banking apps available for download in the Google Play Store).

 

Target Domain Domain Owner Target Country Target Industry Webinjects Detected
finanzportal.fiducia.de Fiducia & GAD IT Germany Banking 553
bankwest.com.au Bankwest Australia Banking 348
stgeorge.com.au St. George Australia Banking 327
ibs.bankwest.com.au Bank West Australia Banking 316
isube.garanti.com.tr Garanti Bank Turkey Banking 316
sube.halkbank.com.tr Halkbank Turkey Banking 316
www.isbank.com.tr Isbank Turkey Banking 316
banksa.com.au Bank of South Australia Australia Banking 269
westpac.com.au Westpac Australia Banking 248
ibanking.stgeorge.com.au St. George Australia Banking 237
banking.westpac.com.au Westpac Australia Banking 237
bireysel.ziraatbank.com.tr Ziraat Bank Turkey Banking 237
commbank.com.au Commonwealth Bank Australia Banking 171
fr.banquepopulaire.cyberplus Cyberplus France Banking 165
ibanking.banksa.com.au BankSA Australia Banking 158
mobile.bankaustria.at Bank Austria Austria Banking 158
banking.raiffeisen.at Raiffeisen ELBA Austria Banking 158
netbanking.sparkasse.at Sparkasse Austria Banking 158
internetsubesi.akbank.com Ak Bank Turkey Banking 158
www.isbank.com.tr/TicariInternet Isbank Turkey Banking 158
subesizbankacilik.vakifbank.com.tr Vakif Bank Turkey Banking 158
yapikredi.com.tr Yapi Kredi Turkey Banking 158
kurumsal.ziraatbank.com.tr Ziraat Bank Turkey Banking 158
ostsaechsische-sparkasse-dresden.de Ostsaechsische Sparkasse Group Germany Banking 147
de.commerzbanking.mobil Commerz Banking (Android App via Google Play) Germany Banking 147

Table 3: Top targeted banks by webinject quantity

Conclusion

Attackers know that tricking (socially engineering) general Internet users to download a fake (malicious) app or give up their credentials is much easier than targeting a bank’s network directly, so it’s no surprise when they set their sights directly on users through the services and apps they most often use, like email, social media, messaging services, eBay, and others. CISOs and users alike are advised to beware of the serious threat of Android malware campaigns. These campaigns continue to evolve by getting better at tricking user targets and evading detection. As the mobile app and device footprint grows worldwide, this poses an ever-growing threat to financial institutions having to deal with users pointing their finger at the bank when they are defrauded.

In the U.S., there have been several such finger-pointing cases over who is responsible for fraud based on stolen credentials. Even though banks have come out ahead in liability legal battles (after all, the customer got hacked, not the bank), these cases have generated a raft of negative publicity for banks.4

The blamestorming got so bad in the U.S. that financial regulators stepped in and put stronger requirements on banks to combat stolen credentials.5 Now that we’re seeing a replay of these same attacks on mobile devices, the whole cycle of anger and blame could repeat itself if we’re not careful.

From a corporate point of view, mobile devices should either be managed or untrusted. Banking attacks are easy money for cyber-criminals, but the ongoing evolution of the malware into additional applications demonstrates that nothing is safe. Because this is a challenging problem for most financial institutions, many are choosing to leverage security vendors that specialize in web and fraud protections for financial institutions, acting on their behalf to identify banking Trojans that target them and get them shut down.

About the F5 Security Operations Center

The F5 Security Operations Center (SOC) protects customers from malware, phishing, and web fraud with proactive, 24x7 real-time global threat monitoring. The efforts to identify and take down the 12 active Marcher C&C servers in March were completed by the F5 SOC.


Appendix A: Target Domain Details

No. Target Domain Domain Owner Target Country Target Industry Webinjects Detected
1 org.microemu.android.model.common.
VTUserApplicationLINKMB
Banco Link Celular (Android App via Google Play) Argentina Banking 17
2 org.banelco Banelco Mobile (Android App via Google Play) Argentina Banking 17
3 com.bbva.nxt_argentina BBVA Francés Argentina Banking 17
4 com.mosync.app_Banco_Galicia Galicia Bank (Android App via Google Play) Argentina Banking 17
5 ar.com.santander.rio.mbanking Santander Rio Argentina Banking 17
6 anz.com ANZ Australia Banking 43
7 com.anz.android ANZ goMoney (Android App via Google Play) Australia Banking 94
8 banksa.com.au Bank of South Australia Australia Banking 269
9 ibs.bankwest.com.au Bank West Australia Banking 316
10 au.com.bankwest.mobile Bank West (Android App via Google Play) Australia Banking 140
11 ibanking.banksa.com.au BankSA Australia Banking 158
12 org.banksa.bank BankSA Australia Banking 144
13 bbomobile.banksa.com.au BankSA Australia Banking 79
14 bankwest.com.au Bankwest Australia Banking 348
15 com.commbank.netbank CommBank (Android App via Google Play) Australia Banking 79
16 commbank.com.au Commonwealth Bank Australia Banking 171
17 com.commbank.netbank Commonwealth Bank Australia Banking 142
18 com.ebay.gumtree.au Gumtree (Android App via Google Play) Australia Online Classifieds 36
19 ingdirect.com.au ING Direct Australia Banking 90
20 au.com.ingdirect.android ING Direct (Android App via Google Play) Australia Banking 98
21 nab.com.au NAB Australia Banking 90
22 ib.nab.com.au NAB Australia Banking 79
23 au.com.nab.mobile NAB (Android App via Google Play) Australia Banking 98
24 my.commbank.com.au NetBank Australia Banking 79
25 stgeorge.com.au St. George Australia Banking 327
26 ibanking.stgeorge.com.au St. George Australia Banking 237
27 org.stgeorge.bank St. George Australia Banking 142
28 bbomobile.stgeorge.com.au St. George Australia Banking 79
29 westpac.com.au Westpac Australia Banking 248
30 banking.westpac.com.au Westpac Australia Banking 237
31 org.westpac.bank Westpac Australia Banking 142
32 mobile.bankaustria.at Bank Austria Austria Banking 158
33 online.bankaustria.at Bank Austria Austria Banking 79
34 com.bankaustria.android.olb Bank Austria via (Android App via Google Play) Austria Banking 133
35 at.bawag.mbanking BAWAG P.S.K. Austria Banking 133
36 ebanking.bawagpsk.com BAWAG P.S.K. Austria Banking 79
37 ebanking.easybank.at Easybank Austria Banking 79
38 at.easybank.mbanking Easybank (Android App via Google Play) Austria Banking 133
39 at.spardat.netbanking ErsteBank (Sparkasse) via (Android App via Google Play) Austria Banking 133
40 banking.ing-diba.at ING-DiBa Austria Banking 79
41 com.isis_papyrus.raiffeisen_pay_eyewdg Raiffeisen Austria Banking 103
42 banking.raiffeisen.at Raiffeisen ELBA Austria Banking 158
43 netbanking.sparkasse.at Sparkasse Austria Banking 158
44 m.netbanking.sparkasse.at Sparkasse Austria Banking 79
45 at.volksbank.volksbankmobile Volksbank (Android App via Google Play) Austria Banking 133
46 br.com.bb.android Banco do Brazil (Android App via Google Play) Brazil Banking 17
47 cl.santander.smartphone Santander Chile (Android App via Google Play) Chile Banking 17
48 com.grupoavalav1.bancamovil AV Villas (Android App via Google Play) Colombia Banking 17
49 com.bancodebogota.bancamovil Banco de Bogota (Android App via Google Play) Colombia Banking 17
50 com.todo1.mobile Bancolombia (Android App via Google Play) Colombia Banking 17
51 com.bancomer.mbanking Bancomer (Android App via Google Play) Colombia Banking 17
52 se.accumulate.me.core.androidclient.csb Bancoomeva (Android App via Google Play) Colombia Banking 17
53 co.com.bbva.mb BBVA Colombia (Android App via Google Play) Colombia Banking 17
54 com.todo1.davivienda.mobileapp Davivienda (Android App via Google Play) Colombia Banking 17
55 cz.csob.smartbanking Smart Banking App by CSOB Czech Replubic Banking 2
56 com.caisseepargne.android.mobilebanking Banque (Android App via Google Play) France Banking 128
57 net.bnpparibas.mescomptes BNP Paribas France Banking 86
58 com.boursorama.android.clients Boursorama Bank (Android App via Google Play) France Banking 83
59 com.cacf.MonCACF Centre France (Android App via APK Files.org) France Banking 79
60 com.cic_prod.bad CIC (Android App via Google Play) France Banking 86
61 com.ocito.cdn.activity.creditdunord Crédit du Nord (Android App via Google Play) France Banking 83
62 com.cm_prod.bad Crédit Mutuel (Android App via Google Play) France Banking 83
63 com.arkea.android.application.cmso2 Crédit Mutuel Arkéa (Android App via ApkMonk) France Banking 79
64 com.arkea.android.application.cmb Crédit Mutuel de Bretagne (Android App via Google Play) France Banking 79
65 fr.banquepopulaire.cyberplus Cyberplus France Banking 165
66 fr.banquepopulaire.cyberplus.pro Cyberplus France Banking 79
67 fr.lemonway.groupama Gbanque (Android App via ApkMonk) France Banking 79
68 com.groupama.toujoursla Groupama toujours là (Android App via Google Play) France Banking 83
69 com.IngDirectAndroid ING Direct France (Android App via Google Play) France Banking 84
70 com.fullsix.android.labanquepostale.
accountaccess
La Banque Postale  (Android App via Google Play) France Banking 86
71 mobi.societegenerale.mobile.lappli L'Appli Société Générale (Android App via Google Play) France Banking 86
72 fr.creditagricole.androidapp Ma Banque (Android App via Google Play) France Banking 90
73 com.macif.mobile.application.android MACIF Assurance (Android App via Google Play) France Banking 83
74 com.lbp.peps Mes Paiements (Android App via Google Play & ApkMonk) France Banking 79
75 fr.axa.monaxa Mon AXA (Android App via Google Play) France Banking 83
76 fr.lcl.android.customerarea Pro & Entreprises LCL (Android App via Google Play) France Banking 86
77 de.comdirect.android Comdirect  (Android App via Google Play) Germany Banking 104
78 de.commerzbanking.mobil Commerz Banking (Android App via Google Play) Germany Banking 147
79 kunden.commerzbank.de Commerzbank Germany Banking 79
80 de.consorsbank Der Consorsbank Germany Banking 146
81 de.dkb.portalapp DKB-Banking (Android App via Google Play) Germany Banking 104
82 com.starfinanz.mobile.android.dkbpushtan DKB-TAN2go (Android App via Google Play) Germany Banking 100
83 finanzportal.fiducia.de Fiducia & GAD IT Germany Banking 553
84 banking.ing-diba.de ING-DiBa Germany Banking 79
85 com.ing.diba.mbbr2 ING-DiBa (Android App via Google Play) Germany Banking 105
86 de.ing_diba.kontostand ING-DiBa Kontostand (Android App via Google Play) Germany Banking 101
87 com.db.mm.deutschebank Meine Bank (Android App via Google Play) Germany Banking 146
88 de.adesso.mobile.android.gad Online-Filiale (Android App via Google Play) Germany Banking 102
89 ostsaechsische-sparkasse-dresden.de Ostsaechsische Sparkasse Group Germany Banking 147
90 banking.postbank.de Postbank Germany Banking 79
91 de.postbank.finanzassistent Postbank Finanzassistent (Android App via Google Play) Germany Banking 147
92 securebank.santander.de Santander Germany Banking 79
93 mobile.santander.de Santander (Android App via Google Play) Germany Banking 104
94 com.starfinanz.smob.android.sbanking Sparkasse (Android App via Google Play) Germany Banking 147
95 com.starfinanz.smob.android.sfinanzstatus Sparkasse (Android App via Google Play) Germany Banking 105
96 banking.berliner-sparkasse.de Sparkasse Berliner Germany Banking 79
97 bankingportal.sparkasse-bielefeld.de Sparkasse Bielefeld Germany Banking 79
98 bankingportal.sparkasse-bochum.de Sparkasse Bochum Germany Banking 79
99 bankingportal.sparkasse-dortmund.de Sparkasse Dortmund Germany Banking 79
100 bankingportal.sparkasse-duisburg.de Sparkasse Duisburg Germany Banking 79
101 bankingportal.frankfurter-sparkasse.de Sparkasse Frankfurter Germany Banking 79
102 banking.sparkasse-hannover.de Sparkasse Hannover Germany Banking 79
103 bankingportal.sparkasse-koelnbonn.de Sparkasse Koelnbonn Germany Banking 79
104 banking.sparkasse-leipzig.de Sparkasse Leipzig Germany Banking 79
105 banking.sparkasse-leipzig.de Sparkasse Leipzig Germany Banking 79
106 banking.sparkasse-muensterland-ost.de Sparkasse Muensterland Germany Banking 79
107 portal.sparkasse-nuernberg.de Sparkasse Nuernberg Germany Banking 79
108 bankingportal.sparkasse-wuppertal.de Stadtsparkasse Wuppertal Germany Banking 79
109 de.fiducia.smartphone.android.banking.vr VR Banking (Android App via Google Play) Germany Banking 147
110 com.android.vending Android Google Play Store processing Global Mobile Platform 3
111 m.ebay.com eBay Global Online Auction 43
112 com.facebook.katana Facebook (Android App via Google Play) Global Social / Messaging 8
113 com.google.android.email Gmail (Android App via Google Play) Global eMail 30
114 com.google.android.gm Google (Android Dev API) Global eMail 81
115 com.htc.android.mail HTC (Android App via Google Play) Global eMail 32
116 com.android.email Mail.com Global eMail 95
117 paypal.com PayPal Global Payment Processor 88
118 com.paypal.android.p2pmobile PayPal (Android App via Google Play) Global Payment Processor 94
119 com.viber.voip Viber Messenger (Android App via Google Play) Global Social / Messaging 3
120 com.whatsapp WhatsApp (Android App via Google Play) Global Social / Messaging 3
121 com.yahoo.mobile.client.android.mail Yahoo (Android App via Google Play) Global eMail provider 81
122 com.bapro.movil Banco Provincia (Android App via Google Play) Mexico Banking 17
123 com.citibanamex.banamexmobile Citibanamex Móvil (Android App via Google Play) Mexico Banking 17
124 mx.bancosantander.supermovil Santander Mexico Banking 17
125 com.bbva.nxt_peru BBVA Continental - Banca Móvil (Android App via Google Play) Peru Banking 17
126 com.bcp.bank.bcp BCP Bank Peru Banking 17
127 pe.com.interbank.mobilebanking Interbank APP (Android App via Google Play) Peru Banking 17
128 wit.android.bcpBankingApp.millenniumPL Bank Millennium (Android App via Google Play) Poland Banking 47
129 eu.eleader.mobilebanking.pekao Bank Pekao (Android App via Google Play) Poland Banking 147
130 pl.eurobank Euro Bank Poland Banking 47
131 com.getingroup.mobilebanking Getin Noble Bank (Android App via ApkMonk) Poland Banking 47
132 pl.mbank mBank Poland Banking 52
133 eu.eleader.mobilebanking.raiffeisen Mobile Bank (Android App via Google Play) Poland Banking 47
134 com.santander.app Santander (Android App via Google Play) Spain Banking 17
135 se.accumulate.me.core.
androidclient.occidente
Banco de Occidente B.P (Android App via Google Play) Sweden Banking 31
136 internetsubesi.akbank.com Ak Bank Turkey Banking 158
137 mobilsube.akbank.com.tr Ak Bank Direkt Turkey Banking 79
138 com.akbank.android.apps.akbank_direkt Ak Bank Direkt (Android App via Google Play) Turkey Banking 126
139 com.garanti.cepsubesi Garanti (Android App via Google Play) Turkey Banking 84
140 isube.garanti.com.tr Garanti Bank Turkey Banking 316
141 isube.garanti.com.tr Garanti Bank Turkey Banking 79
142 com.tmobtech.halkbank Halkbank (Android App via Google Play) Turkey Banking 126
143 sube.halkbank.com.tr Halkbank Bank Turkey Banking 316
144 www.isbank.com.tr/TicariInternet Isbank Turkey Banking 158
145 www.isbank.com.tr Isbank Bank Turkey Banking 316
146 com.pozitron.iscep İşCep (Android App via Google Play) Turkey Banking 84
147 internetsubesi.finansbank.com.tr QNB Finansbank Turkey Banking 79
148 com.finansbank.mobile.cepsube QNB Finasbank (Android App via Google Play) Turkey Banking 126
149 subesizbankacilik.vakifbank.com.tr Vakif Bank Turkey Banking 158
150 com.vakifbank.mobile Vakif Bank (Android App via Google Play) Turkey Banking 126
151 yapikredi.com.tr Yapi Kredi Turkey Banking 158
152 com.ykb.android Yapi Kredi (Android App via Google Play) Turkey Banking 84
153 bireysel.ziraatbank.com.tr Ziraat Bank Turkey Banking 237
154 kurumsal.ziraatbank.com.tr Ziraat Bank Turkey Banking 158
155 com.ziraat.ziraatmobil Ziraat Mobil (Android App via Google Play) Turkey Banking 84
156 com.grppl.android.shell.BOS Bank of Scotland  (Android App via Google Play) UK Banking 8
157 com.barclays.android.barclaysmobilebanking Barclays (Android App via Google Play) UK Banking 6
158 halifax-online.co.uk Halifax UK UK Banking 79
159 com.grppl.android.shell.halifax Halifax UK (Android App via Google Play) UK Banking 89
160 com.htsu.hsbcpersonalbanking HSBC (Android App via Google Play) UK Banking 8
161 online.lloydsbank.co.uk Lloyds Bank UK Banking 79
162 com.grppl.android.shell.CMBlloydsTSB73 Lloyds Bank (Android App via Google Play) UK Banking 89
163 com.rbs.mobile.android.natwest NatWest (Android App via Google Play) UK Banking 6
164 com.rbs.mobile.android.rbs Royal Bank (Android App via Google Play) UK Banking 6
165 uk.co.santander.santanderUK Santander UK Banking 6
166 online.tsb.co.uk TSB UK Banking 79
167 uk.co.tsb.mobilebank TSB (Android App via Google Play) UK Banking 89
168 com.rbs.mobile.android.ubr Ulster Bank (Android App via Google Play) UK Banking 6
169 com.paybybank.westernunion Paybybank US Banking 30
170 om.suntrust.mobilebanking SunTrust US Banking 32
171 com.tdbank TD Bank US Banking 32
172 com.unionbank.ecommerce.mobile.android Union Bank US Banking 32

 

Appendix B: Samples Tested

6e96b1d9628e7ee8378d15d507c64cfa7bbb85ad64793adaf610c8bc70808b0f

2327d19badd8632930079efb55f5603644f4b077b47439d2bdf11a233dadece2

4035c73e7315fb639423bc4fa85a7573156f1af46f91f64ed009c9fd2905707b

664b9c7ba34172320279bd9425ad3d8103a50dae8da3183995360ffc7fb4a0f4

069ad1b7b097f6337fc140100ef1a5d12ad45fb55daabe78104eef966ea835be

5bf7648743c0ff2207c5653b12f077f9d6a6a013cbcb3e2e2d5d94605b2ba08e

a5e0dd00bd5e505603a552ca16763a4e4472481f747ac61a559ef2b0c678d9a7

6bf17c764dcc0bcc72750483e8a26a00b563dd833b8ba1b16e1091f4e18f0753

fddce806c668fb39ca4c7f4576162bf715451ced81b0e2e961b2f0d33d1872bc

3435ae8339d3bc9989df2d74f4fc58cba6430425b076e44dc89cac1cc8fa220d

be8533d4c35afd7620689c69113857500231634af24b063925d91a9d0f535293

a01ff48275a42e2b836c71934546a3f55f09332a19b730c2d114400385dad57a

f34a785d013c36db12ef5de7875269022e8d34db1a968e9cfe81ab75cac65117

d0affea1e62960deffa02a57c667ffea8819d914639e2597a79625c91afd9707

7f25dca9b9ba3ed80e72a1f211d8d66965eb460e859ef1c41dc7ef14c98b4c96

5c886fb1621118df2e34d68ce6d50e233451977af78770c4cb0282f98f27eae1

f56640719e6c7b83d5c57412229f67e6bf5028530bff9b20e25159da8b1caeb3

83849cf8d4dad4cd6eb84e96c3fd14e6af031d22c02900d80649a5e0f574c4b5

6b9b0a473fec1e0726c44b4ac9733e9587c23b93b05ce5ff785355c74b220d61

856b309d624df8ccc45a007f8b5b6c6cf5e914dd98ac8c349bc98c834bc9b773

5dca9ebda63da1b58ebe9b03eed4641dbc0655ceb3e81d95aaf46c1566f58ff6

b51eb6b35fb6b6cefa133b2f3615661092a9a58c96f7a6db967a92dd5e7f427f

11bcfa67c8e456e287883dc5b8c74a96b0109d3307eed7f8f5bf55041dc50fc5

524895b8c698436056b598ca7bcd8018f818778bdf2676db3bdd643eff7a46f6

5c5e135b37e2791998fef391ab1b717836584762ae5669c7735fbc3a298c4807

91fbb890973b7e711de61d7d907e07dba84c95503ceb04999e1b1735615ac92d

1819cb34b7ecbb394003732091268c51a62fd0e9215d11c3da9e7cd2f078b09a

41110b35ba5c38a283166b5d34f8c3b704c927af096b38c3822708e39c73b563

5d5b49d864b9b9b4392d41603885dd220d49866fb46f074d6b39cf04cac079d5

c14c7d64702bd6f123ff1647ad08cf2f6911bcdcf7fc9498b06c5be8d1f47a3e

bd023184f059e88e56ce7597ed7e950b7ca7f1c50de391fce7c6d041c35dd9d5

9988b29f727d5cc54c852e86b126abb161a0c97adaf86a41b9e1096413629bd6

78e702e4b65f4788ad17f1111be695ba757e75c396cf81881ae94f160541c37a

5f77a9841d3bae0147d484ba46b3028fead8d42dc8bdd09dc71ff1e3a255aada

8d2def0c081708a8a592140d5c1847e9cac57497117fccf5fa453980bdf1646c

b8598d9a8dbfc9a5dd8985661db6015e6f422f7ec2536e8c30e92fd0e3cc130a

31cc3506137bcba20a1b5d4421b566ebed17b14a4a464d20f505bd38ee527742

dfe07d970164b9a2e1068b17be6bac4ba92b9757ca1f3865a74916b62e6a4ac6

1594b3d9ac9233aabb92152244f979679fc85b68189aedeaa6caab15c966fc36

89ef325dd18373075ed3c16814ec86a8c01562409cd594e3793a1f94739e328c

c5ad5f05e4e420a5da37da99777c6a8d43c2cdd65fd86bea539f1f7d7f0b3f41

9d62189c25824723bbae05464a54a2132a179c88cb33d9731bd086fc43127528

4492f0025f2085ef771efb64f6d34d61bdb27f9ecd7f675c1d3b09bc96b52d3c

9a666b336672cab7e97b96384b8d72b119c88ec210b3fd12f6beadf8e1d6d3da

c5ba6b20f6515bb647e9f2e1ad7278f1728fe1547413fb068fc715908b0f149d

b8b9868a24898c8cb39d90c6d38233efabff5b0daf67bbbb54d1e3d0751dd4cb

c4e604a96116fd2ff2258cc8d4b43babf2e0c0e34df0f76ed284465164ea0074

0ccb420e43f611829b304af906df73b8b6ecf78ab4b1034c34a1bc08d104a392

5a7b0beba65bdd673dec735d98cbcc68455b816f3f69645180f70271b880429a

0de832302ec11bcfda465e903fcd66b2a0bcc8c2b627b43196ef76ca02899765

9d767c41599325ccd0643d6f432b9075775a85c60df176a845605715be230263

b65285713e609672b9f73f8e51dbb121e49d095072fa7dfecac0cf8e292ccf94

3ed0b2a791f2bb426e8d9f587077aa57ae675bab387e58e5558a1d5ffea2f724

fba523fc8e9f2abe39db44ca661e37e559cbcd16101b446da86e4254e01bbbe2

af88ff597daeb953e9654a0dc0e772e91467fdf518c8e7af27ff3c686af31d8e

f6e12b7e91fb96d56c386d1d277f15c058207ad2b162f5f05423116b4c01e79e

3d546feef23688ad78026bb1ececd15a88eb413df974f8b300ffb1e5f0729d4b

be14a8c3a5cc6112e76cd009e561d379a0c5204b9f76a3f2c651c3acea4e69b8

a88d302617779dc49f5d79810406c7c318f962eedc40481cf4df05a7cd0650c5

630e6a45647e5deacab0264c2dd795059687896fd6c1b63676df9dce00837fa4

751c27a7b3a23cb2b19cae3a5453c9208e4e78487692c3e57b90c632f2dd90b2

68b80cba2ff81e2a5f5fa99133f05e2b882d30619ee825dfd434e9d9c533ff7a

ed620a38c1d0c2d81e64b5237be3855c3a6db588b2e58d8b870abe16fbfae8c5

2e2e29b0ea32b1a648e924135984fde867b47eef2f0ae90a5dbef0f179a70ba9

77775d88caa40347f5b96a54df1073c0630850aed669ef9b51165732f997b2d3

5be2ee777c55cb2bba622abe2041f862c2a26931cd0052f2f69b9d38b4a2d0a2

0866f71067f716574d9b588e6cb021f39897f11501a07c61d1df3eaf5819766a

7046d41820af9a5f6be3c5d60a8b8b20b9792c01dc8904c7fd5ab431d36f3f4d

d30aa14e241eeea9d30e8cb4e95ca8a44a3c1ab147666fcd8a29f90bf59265cd

a870078debda932bcf33c5dba448c16ae47030e91f17b0868d164b8e478a2af4

50e346eae3e0832598de992498485bc3a177b1d5f6246812fdfde7d2271cc4aa

07f0ef314a08b5f93040c0312ac1eabdd8ef79917e37c3f82a04d45d875b9928

d6886b4ebed900a7571940491764236eb1f016fa7d79c2106217a6681f01595a

39289865b5ba4e30175e6fdf34e67dcea346c672f15b608439002b54f879f0f1

d56f569e1d056a400e3b1fc19cd5291842bdfde8bf219757ceec4c9378a60292

8037f05b0504d1a422a48e5f5b1e40c5bd924366cbd0e9075459809ce6e006c1

7ac3c89361331fe14a499689578c29b95f17d9eede2455282a3b7445a15a6ba1

18a9ec88048f942ccaa337ac93af4b82f7fa98fa944c34c4cc03d09244f3431a

ee7369f23febf585648f17030e6377c7d79a965e45dd2b57d3c5953c88f7cc32

149fcb614a75f7477e67154d71a61f965958c743de20dd361a108348b43549a3

dd919f213f85c1f9e9e057bb7f322963b05c4974a8682a7fb84ba11b5d9242a2

87ced7c23a91ea20406fa14909b56e5342a48ef987541c2af5bd78fb564dd416

731bb9477d152e9bb29a0f62f9401c9aef9c7e694535d63a2783c35912c223a1

e9de0585f79751934f318d46e39afd0e637b8fb8a1907831c6d6d6419743b005

2b7b451ee7c6dbc17ade7cdc3809c3dada62a768ff508dcdcbce7242522bbcd9

6d4f7e809d6244ceea7af371da0e6afa55d8c50ebc865631c31d63f192be9d63

5b69b81fbad1ad3884644ed0fd1dcc055bc66ecfbd81e0f8b0712556df5c28f2

c16ca332b45cd6dfc8d9463e2bd5dd98093806b9acf41e158d704133bb67da6a

38a81b1828840108ed15f21469f9c32db67bead6982a96aacb1fc0eda61f47c7

e2954eaf3f23c04d62bb9ae3a92f5be7508a36460e39911b21da09c9dd7d54a2

3e2b0376aa4b0bea50e046d2196d607e91b760e36e76537589b55cf490757e86

6cd41365ffc32b471be371c102f958e0ac0ea63619da32ac33d1aaebe59da75f

1a4db763b7a6a98052bc3061b4c2b8acbae80c99e7cedbfb94a1ce80ea9a2a54

264dadb980594e63903f8720764eda8e8e70ea6c5976ada254f10ade9ca9348d

f069dd55f4efe75bd8ef8e878d3e819e8b44fc54c68c302a85f253ca1a3fdf07

2e387790a2260346b6b7c859e88a36c7a61eba3779f51a145ff084fee89553c8

2b2617c3b860e332dcbeaf543cd32960230777da4da956c9a1462574ee39e377

bbfac9b471cefac048a242152e0e692a7f497c78192f35d5352b922eb5e0a5ed

ced7910ec7d33bf029e6fc94bc55796657739d41a35d3d1ac73999664b84f4c1

1423991d9334766ae308e3df2046102828a2d86dc339d56375d3c5b211062bb9

c51c9dfbb50c702a2cb483bc440cf01ff355f89420b43afb33bb11b48d17b859

6a02110bd2185372e87151b2e4b8ea9888d391004b771e3de600e8a368db2859

b06a11f474bc67dadd032120f745f7c8a342a61d1de895cf63a811e69cc50190

25b69aeec53cc0230a1a22cf27192b62fb303c7c04d2fd4c70ac7cdcc351786a

930b31373ede32ba0253c7c53c242b4cbe5eeece58f98a3367af422610512efe

1c6d1ce4d454b14d37ea2c5acfdac1093f52244f9979c53f3034b937a76eb172

82a023874e5c3a8421142e9a7ccc8ff38ace367c7ec197ecb087bb5305bb0c03

0431197802bee87940fca84a372c3937b31edc72975f96e1cfbe8745048d7438

be1f1793c0bbf787b39b06389a0f46912a260fbd099f8abc50b8e388b080466c

94176e9af090ebf374175e5dbdfdd850a04ed9eba7ab272d04df1e00f2bd84e7

6300d8fbdaa7be4afb3a57a32653d0e66fda9b107bc1b91e62365737663544ed

439ba5329b1a3b50a516699be430dee7fb9c60e6019ba32425d7d9671a9de1ff

8126a6bef2ff1cf9fcdb543fb26352bfbb444229fa3c385eb147446700d52933

92d2c2d625c48e07c0cf9071ea77dc4278198dc125abccd3a455b1ff3545723b

f6f7075025dc8788c63c9a084e6849f850514007114b3d5c784bb08a523f42c4

24c4386f3b5d917413c5e46a325c499e706eefe0ed0e185e71b3961a76ca7d0f

5c527a2bbb2894a199826059892202c28b7c0258c5dc7567fe9249332594fe8d

13a955584cd4a2f0e54ad22029135b5b59e386f1c2e465efdcfd49c75496a486

ba0acf6afc616508b801e73353678639027300651b637fefe935f95713b1f8a4

b1c998133fb3a399fba0fd76dc7e78e17024c62685d01764c8a7db47f01b5306

cecd96e452d994575d0eed851c9b2fa7bcb5e2c377585419ebd5d0cd292b7ced

6eb97f50c9b01f18dd3fe12f213e0cf1c699b624bb9c2cee72b8cc9d3f593f74

bb5bf4f3212d0923060a7c6ec772754e14e290a3105e6c6c0fc173c1be31d42d

7f3584d199c1879a1ab934d50213c5d08485ab1e5776582aa36f21dd8aca19e2

dfcdc23eeed1b5ee2acd56840affadc9b3e8ad56969148954462d361763f9c45

c857d7a8c4d7d837f1f8dbff72b56ca16592e5296309a69615f2152733eb6478

36e8353b0e68103edc25a8249e43d32890b1bc1ff6aaf7597ede99ee448a6de1

39f3cc135cabbe84ae7fdbff944ffeba71d109e756acbe0230989cb3aac82739

d68a1f73e974ed8853a13e5ee393719dfe615784876c15ad8b8e0d4c434af739

ca3c3a76a47c0b8a168b3c9253ad7f2a0c193ff65797ddeeda443400d38d0159

ff60305a7e7af58e9c6318a0d50ba7a4a38892c0d0ab3e35ef7afc5038b83130

3a3ea148b386bf07c3a51751a3bf9cf44bda1a3ffbb2d4dbab99b7b4f81fd448

6f01ed7978fb50b4fdb70b56c559edc99937f266ebc2afab3e7dd26efb5026fe

8684eeecfbc3535d11c48128caa0d60ab6dcaede6771d559ab6f8ef9924a773d

52257e7ea972bafb2ff5becb3c17813edc6491f02cff13e859124c7c49b3bedc

6300d8fbdaa7be4afb3a57a32653d0e66fda9b107bc1b91e62365737663544ed

d2df7ee3f87ef908e84c3eca3fcbb7dd0a07270ac87f094fcf978f0b8fbea5ac

29903933f19d4629e232167fc023c92c94ebafc51dd69dd18d05f98d28bcfa55

9d76af8c314e9904906218974c6ae6eec055932aad0292de3554bf5a86371b5b

fd988b737500c564d143095972b20f6a0acd5a4f16a0e10fec8c4bb776469601

fafaebe042ba9c59b2c3f65f43774cdb5369f838469e133a7c26e824f6d20cc6

54c4fbb06484caf74d9ae302964b7e13920d2fdad70d6e04e80dc971a40173c1

f585afe23a4fc0703e58a16783e7b66ab99b53093bdc2f438c86d1c02a2aed43

8fa28ae34e1bd5b33e5cc17d18cf130adc6972af8b33f82d7e75c6e69c267a97

dc10e80972c36610052f33ec30c8f0e1d67957dac22dbcc25c1947a7c10950f0

d79bd608e563f71f6cf61758ad73f08cb2675974142ea5a85a1cb3ef5ff26301

0ec8ff82ab45abdce4cf225d46b11e3bb1b354f7544d53dcc28428966e7151cd

992b28c40a18e5e0868645db6ee8089ac14bf7a098b2ead597f2424549058d44

eedf4a5587f4a652873deda9e36f093ce3c616ac6faa2bb536bf17c519fb9773

ecada29358f72c5a7b69bf358f8826302381f13a567a847e17febcfe20958ef8

e0f90024e869c0be81dae0e0d52561437ae25d695f49e305f74e8ae5573348a8

fcd18a2b174a9ef22cd74bb3b727a11b4c072fcef316aefbb989267d21d8bf7d

2181f303b09f7ece1a5b81563a4d19282b1b438887f033fd294f57b7c653402a

Authors & Contributors
Doron Voolf (Author)
Malware Analyst
Footnotes

What's trending?

Forward and Reverse Shells
Forward and Reverse Shells
09/15/2023 article 5 min. read
Web Shells: Understanding Attackers’ Tools and Techniques
Web Shells: Understanding Attackers’ Tools and Techniques
07/06/2023 article 6 min. read
What Is Zero Trust Architecture (ZTA)?
What Is Zero Trust Architecture (ZTA)?
07/05/2022 article 13 min. read