Full Report
Cyble researchers have discovered a new Android banking trojan that uses overlay attacks and other techniques to target more than 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications. Dubbed “TsarBot” because of the threat actor’s suspected Russian origin, the malware uses overlay attacks to steal credentials and can also record and control the screen. Other attack techniques used by the malware include lock-grabbing, keylogging, and intercepting SMS messages. Abusing Accessibility services and WebSocket communications helps the malware maintain a low profile. TsarBot Spread Through Phishing Sites TsarBot was observed spreading through a phishing site that impersonates the official Photon Sol token discovery and trading site. “The phishing site deceptively offers a download option for an application to start trading, whereas the legitimate website lacks such an option,” Cyble noted in a blog post detailing the findings. Three phishing sites deploying TsarBot were identified by the researchers, including solphoton[.]io, solphoton[.]app, and cashraven[.]online. The phishing sites deliver a dropper application that stores the TsarBot APK file, implant.apk, in the “res/raw” folder, and uses a session-based package installer to deploy the TsarBot malware on the device. After deployment, TsarBot presents a fake Google Play Service update page that prompts the user to enable Accessibility services, which establishes a socket connection with the command and control (C&C) server using ports 9001, 9002, 9004 and 9030. “By abusing Accessibility services and WebSocket communication, it enables on-device fraud while maintaining a low profile,” the Cyble researchers wrote. TsarBot Actions Include Fraud, Password Theft Cyble identified about 30 commands that TsarBot can receive from the server, primarily focused on on-screen control to carry out on-device fraud. The “REQUEST_CAPTURE” command, for example, prompts the user to enable screen capture permissions. “Once granted, the malware initiates the screen capture service, transmitting the captured screen content to the C&C server via a WebSocket connection on port 9002,” the researchers wrote. “By capturing screen content and executing server-issued screen control commands, TsarBot can carry out fraudulent transactions on the targeted device by concealing this fraud activity with a black overlay screen.” TsarBot’s LockTypeDetector feature determines the device’s lock type using the Accessibility service. “Once identified, it saves the lock type status for future use in lock-grabbing operations,” Cyble said. When TsarBot receives the “USER_PRESENT” action for the first time, it loads a fake lock screen based on the lock type and captures the user’s lock password, PIN, or pattern. Mimicking Applications TsarBot retrieves a list of targeted application package names, most of which belong to regional banking apps from countries such as France, Poland, the UK, India, the UAE, and Australia. Other package names are associated with e-commerce, social media, messaging, cryptocurrency, and other apps. TsarBot collects the installed applications on the device and compares them against the package names, “maintaining a target list for overlay attacks,” Cyble said. “The injection page mimics a legitimate application, tricking users into entering sensitive information such as net banking credentials, log in details, and credit card information,” Cyble said. “After transmitting the stolen sensitive information, TsarBot removes the targeted application’s package name from the list to prevent the overlay from being triggered again for the same app.” Cyble said the malware drives home the importance of best practices such as only downloading software from official application stores, such as the Google Play Store or the iOS App Store; using strong passwords, multi-factor authentication and biometric security; enabling Google Play Protect; and exercising caution while opening links that have been sent via SMS or emails. The full Cyble blog includes additional details, such as indicators of compromise (IoC) and MITRE ATT&CK technoques.
Analysis Summary
# Tool/Technique: TsarBot
## Overview
TsarBot is an Android banking trojan primarily designed to steal sensitive financial information by tricking users into inputting credentials into fake overlays that mimic legitimate applications. It targets a broad range of financial, cryptocurrency, e-commerce, social media, and messaging applications.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Overlay attacks, accessibility service abuse, lock screen credential theft, credential harvesting across multiple apps.
- First Seen: Information not explicitly provided in the context, but the data appears current as of March 31, 2025.
## MITRE ATT&CK Mapping
*Note: Specific T-IDs are not provided in the context, mappings are based on described functionality.*
- **TA0001 - Initial Access** (Potential, via installation)
- **T14B - Install Root Certificate** (Indirectly related to privilege escalation/persistence often seen with advanced malware)
- **TA0005 - Defense Evasion**
- **T1484 - Abuse Accessibility Features** (Implied by abusing the Accessibility service)
- **TA0008 - Collection**
- **T1114 - Input Capture** (Capturing PINs/patterns via fake lock screen)
- **TA0011 - Command and Control** (Implied by transmitting stolen information)
## Functionality
### Core Capabilities
- **Accessibility Service Abuse:** Exploits the Android Accessibility service to monitor device state changes and perform malicious actions.
- **Lock Screen Credential Grabbing:** Monitors for the `USER_PRESENT` action, loads a fake lock screen matching the device's style (PIN, pattern, password), and captures the user's lock credentials.
- **Overlay Attacks:** Maintains a target list of installed application package names (over 750, including banking, crypto, e-commerce, and social media apps). It injects an overlay mimicking a legitimate application to trick users into entering login details, net banking credentials, and credit card information.
### Advanced Features
- **Stealth Mechanism:** After successfully harvesting credentials via an overlay injection against a specific application, TsarBot removes that application's package name from its target list, ensuring the overlay attack is not triggered again for the same application.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not applicable for Android malware in this context]
- Network Indicators: [Implied transmission of stolen data, servers/domains not listed]
- Behavioral Indicators: Abuse of the Android Accessibility Service; presence of overlays mimicking financial applications, especially upon app launch; capturing of screen input/lock type status upon `USER_PRESENT` action.
## Associated Threat Actors
- Information not explicitly provided in the context. The analysis is attributed to Cyble.
## Detection Methods
- Signature-based detection: Unknown, but standard AV/EDR signatures for known variants would apply.
- Behavioral detection: Detection based on the malicious usage of Accessibility Services (especially screen overlay generation and credential capture).
- YARA rules: [Not provided]
## Mitigation Strategies
- Only download software from official application stores (Google Play Store or iOS App Store).
- Use strong passwords, multi-factor authentication (MFA), and biometric security features.
- Enable Google Play Protect.
- Exercise caution when opening links received via SMS or emails.
## Related Tools/Techniques
- General Android Banking Trojans utilizing overlay attacks.
- Malware leveraging the Android Accessibility Service for credential theft.