SlemBunk is an Android mobile trojan that was first identified by FireEye researchers in 2015. SlemBunk masquerades as 33 legitimate applications of financial management institutions in North America, Europe, and the Asia Pacific. SlemBunk is designed to resemble common, popular Android apps in order to lure victims into infecting their devices, but it was recently observed using drive-by downloads to distribute the malicious payload as well. This trojan has the ability to phish for and harvest credentials when certain banking apps are launched. As of December 2015, SlemBunk will only infect users if an app containing its malicious code is sideloaded from an unofficial application source or downloaded from a malicious website, as opposed to being downloaded from the Google Play store. FireEye identified 170 samples of SlemBunk in the wild and detailed the characteristics and behaviors of the trojan, including: highly customized login user interface, running in the background and monitoring active processes, detecting the launch of specific legitimate apps and, subsequently, displaying the correct fake login interfaces, harvesting and exfiltrating sensitive device information, receiving and executing remote commands through SMS text messages and network traffic, persisting on the infected device through administrative privileges, remote C2 server change among samples, and using various methods of obfuscation to avoid detection. It is advised to refrain from installing apps outside the official app store, keep Android devices updated, and install mobile antivirus software on your device.


  • January 2016: SlemBunk trojan is targeting 33 mobile banking applications through 170 different SlemBunk variants. (Softpedia)

Technical Details

  • FireEye provides technical details on the SlemBunk trojan, available here and here.

Image Source: Softpedia