Cyble researchers have identified TsarBot, a new Android banking trojan targeting over 750 applications in sectors including banking, finance, cryptocurrency, e-commerce, social media, and payment apps. TsarBot leverages overlay attacks, keylogging, screen recording, lock-grabbing, and SMS interception to steal credentials and perform fraudulent transactions. It abuses Accessibility services and WebSocket communication to evade detection.

TsarBot spreads through phishing sites impersonating the official Photon Sol token discovery and trading site and uses a dropper application to deploy the malware. After installation, it mimics Google Play Service to trick users into enabling Accessibility services, establishing a connection to its C&C server via ports 9001, 9002, 9004, and 9030.

The malware can receive 30 commands from the server, including the REQUEST_CAPTURE command, which enables screen capture and transmits it to the C&C server for on-device fraud. LockTypeDetector identifies the device’s lock type and captures passwords, PINs, or patterns. It also mimics legitimate apps for credential harvesting and removes targeted apps from the attack list once information is stolen.

Cyble emphasizes best practices for users, including downloading apps only from official stores, using strong passwords and multi-factor authentication, enabling Google Play Protect, and being cautious with links from SMS and emails.

‍