TsarBot Trojan Hits 750+ Banking & Crypto Apps!
Essential information
- Published
- 01/04/2025 14:48
- Modified
- 01/04/2025 17:28
- Tags
- 2025-04-01 android banking trojan credential-theft keylogging on-device fraud overlay attack phishing screen recording sms interception tsarbot websocket
- Related entities
- 1 malware, 9 others
Description
A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Services. TsarBot employs overlay attacks to steal credentials, records and remotely controls screens, and uses a fake lock screen to capture device lock credentials. It communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and execute on-device fraud. The malware's capabilities include screen recording, keylogging, and SMS interception. Evidence suggests the threat actor behind TsarBot is likely of Russian origin.