How SlemBunk works. Image Source: FireEye

SlemBunk is an Android mobile Trojan that was first identified by FireEye researchers in 2015. SlemBunk masquerades as 33 legitimate applications of financial management institutions in North America, Europe, and the Asia Pacific. SlemBunk traditionally looks like common, popular Android apps to attract victims, but it was recently discovered using drive-by downloads to distribute the malicious payload in order to reach more victims. This Trojan has the ability to phish for and harvest credentials when certain banking apps are launched. As of December 2015, SlemBunk will only infect users if it is sideloaded from an unofficial application source or downloaded from a malicious website, as opposed to being downloaded from the Google Play store. FireEye identified 170 samples of SlemBunk in the wild and detailed the characteristics and behaviors of the Trojan, including: highly customized login user interface, running in the background and monitoring active processes, detecting the launch of specific legitimate apps and, subsequently, displaying the correct fake login interfaces, harvesting and exfiltrating sensitive device information, receiving and executing remote commands through SMS text messages and network traffic, and persisting on the infected device through administrative privileges, remote C2 server change among samples, and using various methods of obfuscation to avoid detection.


  • January 2016: Slembunk has evolved to include a prolonged attack chain and a better organized campaign. (FireEye)

Technical Details

  • FireEye provides technical details on the SlemBunk Trojan, available here and here.