TsarBot Trojan Hits 750+ Banking & Crypto Apps!

April 1, 2025, 5:28 p.m.

Description

A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Services. TsarBot employs overlay attacks to steal credentials, records and remotely controls screens, and uses a fake lock screen to capture device lock credentials. It communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and execute on-device fraud. The malware's capabilities include screen recording, keylogging, and SMS interception. Evidence suggests the threat actor behind TsarBot is likely of Russian origin.

External References

https://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector
https://otx.alienvault.com/pulse/67ebfca5b1693b0052687f72
Tags
phishing
android
credential theft
banking trojan
keylogging
sms interception
on-device fraud
2025-04-01
websocket
screen recording
tsarbot
overlay attack

Date

  • Created: April 1, 2025, 2:48 p.m.
  • Published: April 1, 2025, 2:48 p.m.
  • Modified: April 1, 2025, 5:28 p.m.

Attack Patterns

  • TsarBot

Additional Informations

  • Technology
  • Finance
  • British Indian Ocean Territory
  • India
  • Australia
  • United Arab Emirates
  • Poland
  • France
  • United Kingdom of Great Britain and Northern Ireland