Android malware that can collect personal user data, display phishing messages to collect login credentials, intercept SMS messages to bypass two-factor authentication or one-time codes used by banks.
A family of malicious ad fraud applications targeting Android devices. It tricks users into clicking ads by displaying deceptive graphics. It uses obfuscation and anti-analysis techniques to remain undetected.
Skinner is Android adware that was found on the Google Play Store by Check Point researchers in March 2017. It is the the first Android malware variant capable of tailoring ads to its victims.
BankBot, as it is known by Dr. Web, and Spy Banker, as it is known by ESET, is an Android Trojan that malware authors developed after using the leaked source code of another unnamed Android banking Trojan in December 2016.
The Asacub Android banking Trojan was first identified in by Kaspersky Lab in June 2015 and was prevalent in attacks against Android devices into 2016. When it was first discovered, it was a simple phishing program managed remotely from a command and control server.
Agent.Jl is an Android Trojan found in a malicious application imitating Adobe Flash Player. It tricks users into granting special permissions and then downloads and executes additional malware onto the victim device.
ViperRAT was first identified in July 2015 targeting the Android devices of over 100 Israeli servicemen from the Israeli Defense Force (IDF). ViperRAT allows the attacker to access general data about the device, SMS messages, WhatsApp database and encryption keys, browsing and search histories, documents and archives found in storage, and photos taken.
Dendroid is an Android remote access Trojan (RAT) discovered by researchers in 2014. It was available for rent at $300/month on the Dark Web forum, Darkode. This Trojan is capable of infecting Android devices and taking photos using the phone’s camera, record audio and video, download existing photos, record calls, and send texts.
X-Agent, also referred to as “Sofacy,” is a remote access toolkit that works against the Android operating system and Apple’s iOS. This malware is known for its association to the state-sponsored hacker group “FANCY BEAR,” also known as “Sofacy” or “APT28,” a group tied to Russian Military Intelligence (GRU).
Switcher Android banking Trojan, disclosed by Kaspersky Lab researchers in December 2016, targets Android devices in order to take over their local WiFi routers and intercept the web traffic passing through them.
Faketoken was first discovered in 2012 as Android spyware targeting mobile banking users by posing as a fake token generator. The Trojan would ask the victim for his or her password and generate a fake token while it executed malicious code in the background and send the user’s information to a specified number and remote servers.
Exo/Exobot is a banking Trojan, discovered in December 2016, affecting Android versions 4, 5, and 6. As early as June 2016, Exobot was advertised and sold on hacking forums, Darknet marketplaces, and later, a public internet website and advertised in Jabber/XMPP spam.
The Loki Android Trojan was first seen in February 2016 and considered one of the first instance where malware could infect devices and settle inside the core Android operating system processes. Loki used this as an anti-detection technique to go undetected longer and carry out operations with root privileges.
Marcher Android banking malware was first discovered in 2013 targeting mostly Russian Google Play users to steal their credit card details by displaying a false payment information entry page. In 2014, it began targeting German bank users after adding banking credential theft to its capabilities. Marcher is spread through phishing campaigns, malicious links in SMS texts, and pornography sites.
PluginPhantom is an Android banking Trojan discovered by Palo Alto Networks in November 2016 and believed to be the successor to the Trojan “Android.Trojan.Ihide.” The Trojan utilizes the “DroidPlugin” framework to infect users’ devices and steal files, location data, contacts, WiFi information, and can log keystrokes, take pictures, capture screenshots, record audio, and intercept and send SMS messages.
FakeBank is an Android Trojan first discovered in 2013 that opens a backdoor and steals information from the compromised device. The Trojan loads onto the victim's device masquerading as a Google Play Store application and requests unnecessary permissions, including:
Gooligan is a family of Android malware first discovered in malicious applications in 2015. Once infected by the malicious app, the malware attempts to contact its command and control (C2) servers to send user and device data.