Bankbot dropper hiding on Google Play

Wesley Gahr, Niels Croese, August 22nd, 2017

Abstract

Today our SfyLabs threat intel team found a suspicious looking Bankbot APK. After further investigation it turned out to be present in the Google Play Store:

/blog/SFY20170801/bankbot_playstore1.png
/blog/SFY20170801/bankbot_playstore2.png
Bankbot in Google Play

As it turned out, there was also another APK from this developer. Apparently the guy is also an avid game developer. Initially it looked like a simple (and quite fun according to Wesley) game, but after some deeper investigation we became suspicous...