Key Takeaways

• A new Android Banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps.
• TsarBot spreads via phishing sites masquerading as legitimate financial platforms and is installed through a dropper disguised as Google Play Services.
• It uses overlay attacks to steal banking credentials, credit card details, and login credentials by displaying fake login pages over legitimate apps.
• TsarBot can record and remotely control the screen, executing fraud by simulating user actions such as swiping, tapping, and entering credentials while hiding malicious activities using a black overlay screen.
• It captures device lock credentials using a fake lock screen to gain full control.
• TsarBot communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and dynamically execute on-device fraud.

Overview

Cyble Research and Intelligence Labs (CRIL) discovered a new Android banking trojan that uses an overlay attack to target over 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications, across multiple regions.

While the malware mainly utilizes overlay attacks to steal credentials, it also carries out various other malicious actions. It is capable of recording and remotely controlling the screen, enabling attackers to monitor and manipulate the device. Additionally, it employs lock-grabbing techniques, keylogging, and intercepting SMS messages.

The analyzed samples indicate the presence of a newly discovered banking trojan, which we are internally tracking as “TsarBot,” a name chosen due to the threat actor’s suspected Russian origin. During our investigation, we identified multiple log entries in Russian within the malicious application, suggesting that a Russian-speaking threat actor likely developed the malware.

TsarBot has been observed spreading through a phishing site that impersonates the official Photon Sol website. The phishing site deceptively offers a download option for an application to start trading, whereas the legitimate website lacks such an option.

The following phishing sites impersonate legitimate entities and distribute dropper applications that, once installed on the targeted device, will deploy TsarBot.

• hxxps://solphoton[.]io
• hxxps://solphoton[.]app
• hxxps://cashraven[.]online

Technical Details

As previously mentioned, the phishing site delivers a dropper application that stores the TsarBot APK file, implant.apk, in the “res/raw” folder. The dropper utilizes a session-based package installer to deploy the TsarBot malware on the device.

TsarBot conceals itself as the Google Play Service app and does not display a launcher icon. Upon installation, it presents a fake Google Play Service update page, prompting the user to enable Accessibility services.

WebSocket Connection

After the victim enables the Accessibility service, the malware establishes a socket connection with the C&C server “hxxp://95.181[.]173.76” using four different ports listed below:

• 9001 – To receive commands
• 9002 – To send captured screen content
• 9004 – To receive different sets of commands
• 9030 – To send data to the server

TsarBot can receive various commands from the server, primarily focused on-screen control, enabling it to carry out on-device fraud.

Screen Recording

As outlined in the command table, when TsarBot receives the “REQUEST_CAPTURE” command, it prompts the user to enable screen capture permissions. Once granted, the malware initiates the screen capture service, transmitting the captured screen content to the C&C server via a WebSocket connection on port 9002.

By capturing screen content and executing server-issued screen control commands, TsarBot can carry out fraudulent transactions on the targeted device by concealing this fraud activity with a black overlay screen.

Lock Grabber

TsarBot incorporates the LockTypeDetector feature to determine the device’s lock type using the Accessibility service. It detects specific on-screen text or descriptions, such as “PIN area,” “Device password,” or a pattern, to identify the lock method. Once identified, it saves the lock type status for future use in lock-grabbing operations.

When TsarBot receives the “USER_PRESENT” action for the first time, it loads a fake lock screen based on the detected lock type from “hxxps://xdjhgfgjh[.]run/injects/htmlPIN/android.PinCode.html” and captures the user’s lock password, PIN, or pattern.

Overlay Attack

TsarBot connects to the URL “hxxps://xdjhgfgjh[.]run/injects/ServiceName.txt“ to retrieve a list of targeted application package names. Most of these belong to banking apps from various regions, including France, Poland, the UK, India, the UAE, and Australia. The remaining package names are associated with e-commerce, social media, messaging apps, cryptocurrency, and other categories.

TsarBot collects the installed applications on the infected device and compares them against the package names received from the server, maintaining a target list for overlay attacks.

When the victim interacts with an application, TsarBot checks its package name against the maintained target list. If the application is found in the targeted list, it then retrieves the corresponding injection page from “hxxps://xdjhgfgjh[.]run/injects/html/{packagename}.html“ and loads it into a WebView.

The injection page mimics a legitimate application, tricking users into entering sensitive information such as net banking credentials, log in details, and credit card information. The figure below shows the injection pages for one of the target applications.

The data entered into the injection phishing pages is sent to the C&C server over port 9030. After transmitting the stolen sensitive information, TsarBot removes the targeted application’s package name from the list to prevent the overlay from being triggered again for the same app.

The image below shows the injection pages used by TsarBot to trick the victims into submitting sensitive information while attempting to access genuine applications.

Conclusion

TsarBot is yet another addition to the growing list of Android banking trojans, relying on familiar yet effective tactics such as overlay attacks, screen recording, and lock grabbing. By abusing Accessibility services and WebSocket communication, it enables on-device fraud while maintaining a low profile. With its ability to target over 750 applications across multiple sectors, TsarBot underscores the persistent threat posed by banking malware. Users should exercise caution when installing apps, avoid untrusted sources, and remain vigilant against phishing sites distributing such threats.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

• Download and install software exclusively from official application stores, such as the Google Play Store or the iOS App Store. 
• Utilize a reputable antivirus and internet security software package on all connected devices, including personal computers, laptops, and mobile devices. 
• Implement strong passwords and enforce multi-factor authentication wherever feasible. 
• Activate biometric security features, such as fingerprint or facial recognition, for unlocking mobile devices when available. 
• Exercise caution while opening links that have been sent via SMS or emails on your mobile device. 
• Ensure that Google Play Protect is enabled on Android devices. 
• Be judicious when granting permissions to applications. 
• Maintain updated versions of your devices, operating systems, and applications. 

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.