216.73.216.133

TsarBot Trojan Hits 750+ Banking & Crypto Apps!

· Published 01/04/2025 14:48 · Modified 01/04/2025 17:28

Export JSON

Essential information

Published
01/04/2025 14:48
Modified
01/04/2025 17:28
Tags
2025-04-01 android banking trojan credential-theft keylogging on-device fraud overlay attack phishing screen recording sms interception tsarbot websocket
Related entities
1 malware, 9 others

Description

A newly discovered , , targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Services. employs overlay attacks to steal credentials, records and remotely controls screens, and uses a fake lock screen to capture device lock credentials. It communicates with its C&C server using across multiple ports to receive commands, send stolen data, and execute . The malware's capabilities include , , and . Evidence suggests the threat actor behind is likely of Russian origin.

External references