banking trojan
-
Perseus Android banking malware enables device takeover and note theft
Perseus is a new Android banking trojan delivered through sideloaded IPTV apps that enables Accessibility based device takeover overlay attacks and extraction of notes and credentials, primarily targeting Turkey and Italy.
-
Massiv Android trojan hides in IPTV droppers to enable device takeover and banking fraud
Researchers published a technical analysis of Massiv, an Android trojan spread as IPTV droppers that enables remote device takeover, screen streaming and overlays to steal banking credentials. Initial campaigns targeted Portugal and Greece in early 2025.
-
Water Saci campaign in Brazil uses WhatsApp worm, HTA and Python to deliver banking trojan; RelayNFC Android malware also active
Researchers say the Water Saci group has adopted a layered HTA/PDF/WhatsApp Web worm and a Python-based propagation script to deliver an AutoIt-backed banking trojan in Brazil, while a separate RelayNFC Android threat targets contactless payments.
-
Researchers disclose Sturnus Android banking trojan that can capture messages and take over devices
Security researchers say a new Android banking trojan called Sturnus can capture decrypted messages from apps like WhatsApp, Telegram and Signal, present fake bank login screens, and allow remote control of infected devices; ThreatFabric reports the campaign so far is limited to Southern and Central Europe.
-
Researchers report WhatsApp-based worm distributing Delphi banking trojan in Brazil
Trustwave SpiderLabs reported a WhatsApp-propagated campaign in Brazil that uses a Python-based worm and an MSI installer to deploy the Delphi credential stealer Eternidade, which retrieves C2 addresses via IMAP and targets banking and crypto apps.
-
Researchers detail Android RAT ‘Fantasy Hub’ sold as Malware‑as‑a‑Service on Telegram
Security researchers and industry trackers say an Android remote access trojan named Fantasy Hub is being sold on Russian‑language Telegram channels as a Malware‑as‑a‑Service, offering device takeover, SMS interception, APK trojanising, and subscription pricing while mirroring features seen in other Android RATs and banking trojans.
-
Researchers link WhatsApp-propagated Maverick malware to Brazilian banking trojans
Researchers say Maverick, a WhatsApp-propagated malware, shares code and tactics with the Brazilian banking trojan Coyote and is being spread via automated WhatsApp Web sessions, with analysts noting ties to a group called Water Saci.
-
Researchers detail BankBot‑YNRK and DeliveryRAT Android trojans that steal credentials and payment data
Researchers say two Android trojans, BankBot‑YNRK and DeliveryRAT, have been observed harvesting credentials, payment and device data; reports from CYFIRMA and F6 detail targeted device checks, use of accessibility services, persistence mechanisms and distribution via fake apps and malware‑as‑a‑service.
-
Astaroth banking trojan leverages GitHub to restore command-and-control, McAfee says
McAfee Labs reported that the Astaroth banking trojan campaign uses GitHub-hosted images with steganography to update configurations and maintain access after C2 takedowns; the campaign targets Brazil and other Latin American countries and is delivered via DocuSign-themed phishing emails.
-
New Android banking trojan Klopatra has infected more than 3,000 devices, Cleafy says
Cleafy said a new Android banking trojan called Klopatra has infected over 3,000 devices, mainly in Spain and Italy, using VNC remote control, dynamic overlays and abuse of Android accessibility services to steal credentials and perform fraudulent transfers.
