Android banker with hardcoded financial targets


SonicWall Threats Research Team received reports of an Android banker campaign that has a multitude of features and commands at its disposal. Samples we analyzed include hardcoded financial institutions whose presence is monitored and fake login pages are shown if these targeted apps are found running on the device.

Sample Details

  • MD5:  9d050ee9d306fa2228b3ddb1840bfb61
  • Application Name: OLX
  • Package Name: man.cube.ship

Infection Cycle

Among the permissions requested, the following are a few sensitive/dangerous ones:

  • android.permission.BIND_ACCESSIBILITY_SERVICE
  • android.permission.CALL_PHONE
  • android.permission.GET_TASKS
  • android.permission.READ_SMS
  • android.permission.REAL_GET_TASKS
  • android.permission.RECEIVE_BOOT_COMPLETED
  • android.permission.RECEIVE_SMS
  • android.permission.SEND_SMS
  • android.permission.SYSTEM_ALERT_WINDOW
  • android.permission.WRITE_SETTINGS


Upon installation and execution, the malware does not show any screens or interface o any kind but continues to perform malicious actions in the background:

The Manifest.xml file points to a Main Activity class that gets invoked when the application runs, but this class is not see in the code base once decompiled:

This indicates that there is a possibility that a dex file containing the actual deobfuscated code is dropped when the application executes. We observe a file getting dropped in the app_DynamicOptDex folder on the device where the app gets installed. The file ZTpqTR.json is actually a DEX file that contains legible malicious code

Observations from the code

Interesting elements are present in a class file which can be considered as the configuration file. as it contains a number of hardcoded elements:

Server that the malware communicates with:

  • http://ro-37[.]in/myaccount/login[.]php

A number of domains marked as Gates:

  • http://analkarnavalbubenec[.]pw/3lfk3jGj/
  • http://karambga3j[.]net/3lfk3jGj/
  • http://lkrishtian1[.]com/3lfk3jGj/
  • http://lkrishtifaa[.]com/3lfk3jGj/

A list of financial applications that the malware targets along with what looks like fake login pages uploaded on a domain (which has been taken down as of writing this blog), complete file can be viewed here


The malware has capabilities to accept the following commands and execute the corresponding functionalities:

  • registration
  • send_sms
  • sms_contact
  • sms_contacts
  • get_push
  • tracker
  • move_sms_client
  • mard_mode – spelling mistake for hard mode
  • call_number
  • startes_access


Network activity

The malware communicated with the following domains during our analysis:

  • ro-27[.]in
  • lkrishtifaa[.]com


The following VirusTotal graph can be seen for this apk:


Banker Targets

The malware targets a number of financial institutions, notable targets include:

  • AlfaBank – Commercial bank in Russia
  • OpenBank – An online bank, headquartered in Madrid
  • Tinkoff – Russian bank based in Moscow
  • VTB24 – Leading universal bank of Russia
  • Mbank – Banking group in Poland
  • HomeCredit – An international non-bank financial institution headquartered in Netherlands


SonicWall Capture Labs provides protection against this threat via the following signature:

  • AndroidOS.Banker.DR_1


Indicators of compromise (IOC):

  • 9d050ee9d306fa2228b3ddb1840bfb61
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.