person writing on white notebook
Cyber Security

Here Are the Top 10 Android Banking Trojans

Please start this article learning as always with me the basic terms to understand better what we must tell you about this topic.

What is a Trojan horse? 

It is a type of malware also known as a Trojan horse from the historical account. This story tells of the belly of a giant wooden horse that opened during the night, and it was too late. The Greeks had managed to capture the city of Troy after an extensive siege and, with it, put an end to the Trojan War. Thousands of years later, the myth of the Trojan horse lives on, albeit with a less flattering connotation. For what was once recognized as a brilliant trick and an amazing feat of engineering is now regarded as a malicious digital pest whose sole purpose is to wreak havoc on its victims’ computers without their knowledge.

What does a Trojan do to achieve this?

It does this by reading passwords, logging keystrokes, or opening gateways for the entry of more malware that could even take the computer hostage. These actions include:

  • Data deletion.
  • Locking data.
  • Data modification.
  • Data copying.
  • Disruption of computer or computer network performance.

Now, knowing and understanding the terms, I will tell you about the ten most prolific Android mobile banking trojans target 639 financial applications that collectively have over one billion downloads on the Google Play Store.

Usually, the mobile banking trojans hide behind benign apps like productivity tools or games and commonly sneak into the Google Play Store, as you know the Android’s official app store.

When your device is already infected, the step to follow they overlay login pages on top of legitimate banking and finance apps to steal account credentials, monitor notifications to snatch OTPs, and even carry out on-device financial fraud by abusing Accessibility services to perform actions as the user.

According to Zimperium (a mobile security platform) it offers a gives an overview of the Android ecosystem in the first quarter of 2021, and each of these Trojans has assumed a unique spot in the market by how many organizations they target as well as functionality that differentiate them from the rest.

This finding is very worrying! Because, according to 2021 surveys, three out of four respondents in the U.S. use banking apps to perform their daily banking activities, providing a massive pool of targets for these Trojans.

Which countries are the most targeted?

United States tops the list of the most targeted countries, having 121 targeted apps. The United Kingdom follows with 55 apps, Italy with 43, Turkey with 34, Australia counts 33, and France has 31.

The Trojan that targets the most applications is Teabot, covering 410 out of 639 of those tracked, while Exobot also targets a sizable pool of 324 applications. And the targeted application with the most downloads is PhonePe, which is extremely popular in India, having 100 million downloads from the Play Store.

Binance, the popular cryptocurrency exchange app, counts 50M downloads. Cash App, a US and UK-covering mobile payment service, also has 50 million installations via the Play Store. Both are also targeted by some banking Trojans, even if they do not offer conventional banking services.

The most widely targeted application is BBVA, a global online banking portal with tens of millions of downloads.

Most prolific Trojans

In the first quarter of this year, according to Zimperium, are the following.

  • BianLian: 

Targets Binance, BBVA, and a range of Turkish apps. An updated version of the trojan discovered in April 2022 features photoTAN bypassing, which is considered a strong authentication method in online banking. 

  • Cabassous:

Attacks Barclays, CommBank, Halifax, Lloys, and Santander. Uses domain generation algorithm (DGA) to evade detection and takedowns.

  • Coper:

Objective BBVA, Caixa Bank, CommBank, and Santander. It actively monitors device battery optimization “allowlist” and modifies it to exempt itself from restrictions.

  • EventBot:

Targets Barclays, Intensa, BancoPosta, and various other Italian apps. It hides as Microsoft Word or Adobe Flash, and can download new malware modules from remote sources.

  • Exobot:

Attacks PayPal, Binance, Cash App, Barclays, BBVA, and CaixaBank. It’s very small and light because it uses shared system libraries and fetches overlays from the C2 only when needed.

  • FluBot:

Objective BBVA, Caixa, Santander, and various other Spanish apps. The botnet trojan was notorious for its rapid distribution using SMS and contact lists of compromised devices.

  • Medusa:

Destination BBVA, CaixaBank, Ziraat, and a range of Turkish bank apps. It can perform on-device fraud by abusing the accessibility service to act as a normal user on the victim’s behalf.

  • Sharkbot:

Targets Binance, BBVA, and Coinbase. It features a rich set of detection evasion and anti-deletion capabilities, as well as strong C2 communication encryption.

  • Teabot:

Attacks PhonePe, Binance, Barclays,, Postepay, Bank of America, Capital One, Citi Mobile, and Coinbase. It features a special keylogger for each app, and loads it when the user launches it.

  •  Xenomorph:

Objective BBVA and various EU-based bank apps. It can also serve as a dropper to fetch additional malware on the compromised device.

Keep in mind to protect from all these threats, you should keep your device up to date, only install apps from the Google Play Store, check user reviews, visit the developer’s site, and keep the number of installed apps on your device at a minimum.