Trusted Design

Android Trojan Xbot Phishes Credit Cards and Bank Accounts

概要

Unit42 recently discovered 22 Android apps that belong to a new Trojan family we’re calling “Xbot”. This Trojan, which is still under development and regularly updated, is already capable of multiple malicious behaviors. It tries to steal victims’ banking credentials and credit card information via phishing pages crafted to mimic Google Play’s payment interface as well as the login pages of 7 different banks’ apps. It can also remotely lock infected Android devices, encrypt the user’s files in external storage (e.g., SD card), and then ask for a U.S. $100 PayPal cash card as ransom. In addition, Xbot will steal all SMS messages and contact information, intercept certain SMS messages, and parse SMS messages for mTANs (Mobile Transaction Authentication Number) from banks.

Created: 2026-02-23

Indicators

• URL - http://yetiathome15.ru/Install.apk -
• FileHash-SHA256 - f2cfbc2f836f3065d5706b9f49f55bbd9c1dae2073a606c8ee01e4bbd223f29f -
• FileHash-SHA256 - e905d9d4bc59104cfd3fc50c167e0d8b20e4bd40628ad01b701a515dd4311449 -
• URL - http://leeroywork3.co/install.apk -
• URL - http://morning3.ru/install.apk -
• FileHash-SHA256 - 2e2173420c0ec220b831f1c705173c193536277112a9716b6f1ead6f2cad3c9e -
• URL - http://192.227.137.154/request.php -
• FileHash-SHA256 - 4b5ef7c8150e764cc0782eab7ca7349c02c78fceb1036ce3064d35037913f5b6 -
• FileHash-SHA256 - c2354b1d1401e31607c770c6e5b4b26dd0374c19cc54fc5db071e5a5af624ecc -
• FileHash-SHA256 - 12f75b8f58e1a0d88a222f79b2ad3b7f04fd833acb096bb30f28294635b53637 -
• URL - http://23.227.163.110/locker.php -
• FileHash-SHA256 - dfda8e52df5ba1852d518220363f81a06f51910397627df6cdde98d15948de65 -
• URL - http://52.24.219.3/action.php -
• domain - melon25.ru -
• FileHash-SHA256 - 1264c25d67d41f52102573d3c528bcddda42129df5052881f7e98b4a90f61f23 -
• FileHash-SHA256 - 93172b122577979ca41c3be75786fdeefa4b80a6c3df7d821dfecefca1aa6b05 -
• FileHash-SHA256 - 58af00ef7a70d1e4da8e73edcb974f6ab90a62fbdc747f6ec4b021c03665366a -
• FileHash-SHA256 - 7e47aaa8a1dda7a413aa38a622ac7d70cc2add1137fdaa7ccbf0ae3d9b38b335 -
• URL - http://illuminatework.ru/Install.apk -
• FileHash-SHA256 - 33230c13dcc066e05daded0641f0af21d624119a5bb8c131ca6d2e21cd8edc1a -
• FileHash-SHA256 - d1e5b88d48ae5e6bf1a79dfefa32432b7f14342c2d78b3e5406b93ffef37da03 -
• FileHash-SHA256 - 1b84e7154efd88ece8d6d79afe5dd7f4cda737b07222405067295091e4693d1b -
• URL - http://market155.ru/Install.apk -
• FileHash-SHA256 - 029758783d2f9d8fd368392a6b7fdf5aa76931f85d6458125b6e8e1cadcdc9b4 -
• FileHash-SHA256 - a94cac6df6866df41abde7d4ecf155e684207eedafc06243a21a598a4b658729 -
• FileHash-SHA256 - 616b13d0a668fd904a60f7e6e18b19476614991c27ef5ed7b86066b28952befc -
• FileHash-SHA256 - d082ec8619e176467ce8b8a62c2d2866d611d426dd413634f6f5f5926c451850 -
• FileHash-SHA256 - a22b55aaf5d35e9bbc48914b92a76de1c707aaa2a5f93f50a2885b0ca4f15f01 -
• FileHash-SHA256 - 20bf4c9d0a84ac0f711ccf34110f526f2b216ae74c2a96de3d90e771e9de2ad4 -
• FileHash-SHA256 - 7e939552f5b97a1f58c2202e1ab368f355d35137057ae04e7639fc9c4771af7e -
• FileHash-SHA256 - 595fa0c6b7aa64c455682e2f19d174fe4e72899650e63ab75f63d04d1c538c00 -

類似Pulses

• Banking Trojan infected dozens of Android apps worldwide (score: 0.79)
• A Look Into The New Strain Of BankBot (score: 0.76)
• ZBot Malware (score: 0.76)
• BankBot Found on Google Play and Targets Ten New UAE Banking Apps (score: 0.76)
• Android Trojan GM Bot is evolving and targeting more than 50 banks worldwide (score: 0.75)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る