The BankBot Android banking trojan is giving Google engineers headaches, as this particular piece of malware has a knack for avoiding Google's security scans and reaching the official Play Store on a regular basis.

The story of this banking trojan goes back to January 2017, when the source code of an unnamed Android banking trojan was leaked online on an underground hacking forum.

Shortly after, someone took this source code and created a new banking trojan known as BankBot, which by the end of the month, had already been used to target users of Russian banks.

By next month, February, BankBot's authors improved the malware's support with the ability to target the customers of banks in other countries, such as the UK, Austria, Germany, and Turkey.

BankBot has the ability to avoid Google's security scans

Despite basing BankBot on leaked source code, the malware's creators improved the codebase and added the ability to disguise the malware enough to trick the Google Bouncer security scanner.

In total, researchers initially detected three different BankBot campaigns that managed to upload Android apps on the official Google Play Store.

Google intervened in each and took down the apps, but it quickly became apparent to researchers that BankBot had Bouncer's number.

Two more campaigns detected last week

Come April, and these campaigns are still active. While BankBot was first discovered by Russian cyber-security firm Dr.Web, and subsequent campaigns were detected by ESET, Dutch firm Securify has also identified two new BankBot campaigns that have also managed to pass two apps by Bouncer and onto the Play Store.

The first of those apps was one named Funny Videos 2017, and was taken down last week, but not before reaching between 1,000 and 5,000 downloads.

The second app, HappyTimes Videos, was found over the Easter holiday and was just taken down before this article's publication.

BankBot has grown into a sophisticated threat

According to security experts, both apps were infected with a recent version of the BankBot trojan. As the name hints, BankBot is an Android banking trojan. Just like most Android banking trojans, BankBot works by showing a fake login window on top of the user's legitimate banking application.

Some of BankBot overlays [Source: Securify]

In reality, BankBot can steal login credentials for more than banking applications. Past versions were also able to steal login details for apps such as Facebook, Viber, Youtube, WhatsApp, Uber, Snapchat, WeChat, IMO, Instagram, Twitter, and the Google Play Store.

Further, BankBot could also lock the user's device in a ransomware-like behavior, and intercept SMS messages for the ability to bypass two-step verification operations.

Below is a list of 424 legitimate banking apps for which the BankBot versions spotted last week were configured to target.

The codes in this list are usually the codes at the end of the Google Play Store app page. You can access the Google Play Store page for your own mobile banking app, and check to see if that code appears in the list below.