Threat actors exploit current situation to distribute malicious corona virus related apps – like Coronavirus Trackers, symptoms identification, maps etc. At current situation people tend to be more vulnerable to install such apps. Because of that, I decided to gather Android COVID-19 related malicious apps found by info security community.

If you found such app or website, post a comment here or send me a message on Twitter. I will verify and update the blog with your finding.

[updated 17.09.2020]

Cerberus banking Trojan

Added: 17.09.2020

Info: State Support for each family who download the application from the Ministry of Health and apply! 2000₺ State Support APPLICATION TO EVERY FAMILY

Distributed: https://basvuru.peandemikomerkez[.]site/Pandemi_destek.apk

Sample: https://www.virustotal.com/gui/file/c7072376aff17973b6cca7e2ea9b3c4421968818a364b2c320596c0a99cdcde8/detection

C&C: http://apcuratte[.]xyz

Source: https://twitter.com/malwrhunterteam/status/1306548439237488640





AhMyth Android Rat

Added: 16.09.2020

Info: Do you think you have been exposed to the Coronavirus COVID-19 and have symptoms? If so, start with the test from our app. Distribution websites impersonates legitimate web – https://maladiecoronavirus.fr.

Distributed: http://www.maladiescoronavirus[.]com/covidtest.apk

Sample: https://www.virustotal.com/gui/file/dbefa8319629ff65662c5599033756dba3a1403176c2c1f27d806f03a0682055/detection

C&C: http://tweensangoma.servebbs[.]com:22222

Source: https://twitter.com/malwrhunterteam/status/1305940469927550977





Anubis banking Trojan

Added: 12.09.2020

Info: SUPPORT COVID19 PANDEM up to 3000 TL for each family!

Distributed: https://basvuru-yap-3000tl[.]com/pandemiDestek.apk

Sample: https://www.virustotal.com/gui/file/199e214d9400ab55d9219a56cfda2b9b7ade3ae19627267cfa55c2771a99fed5/detection

C&C: http://katemik[.]com

Source: https://twitter.com/malwrhunterteam/status/1304751989058830337

Anubis banking Trojan

Added: 09.09.2020

Info: Pandemic support for families 1,000TL spread via SMS

Distributed: https://anapage-yenigiriswebtr[.]com/pandemi_basvurusu.apk

Sample: https://www.virustotal.com/gui/file/82ca8c7aedb3552e5ce7448b8e39cc5f371518ed4befe11ef732d8cecd034921/detection

C&C: http://akerede[.]com

Source: https://twitter.com/mertcangokgoz/status/1303673163742670848





Anubis banking Trojan

Added: 07.09.2020

Info: Pandemic support for families 1,000TL

Distributed: https://on-linegirisplatformirtibattrweb[.]com/pandemi_basvuru.apk

Sample: https://www.virustotal.com/gui/file/d03460838fcdd37e285a8351406a82c8712438664dd3b53d89651736f2bdb42f/detection

C&C: http://akrde[.]com/

Source: https://twitter.com/malwrhunterteam/status/1302972454244102145





Cerberus banking Trojan

Added: 24.08.2020

Distributed: https://web-onlinetr-covid19tr[.]com

Sample: https://www.virustotal.com/gui/file/a64b618440cd86ed94ed3da8f70fc022643db8f49852738a08d2438a39b2a8fb/detection

C&C: http://asmiller2[.]com

Source: https://twitter.com/ReBensk/status/1297865674983968768

Cerberus banking Trojan

Added: 23.07.2020

Distributed: http://technohayats[.]xyz/files/CovidTracker.apk

Sample: https://www.virustotal.com/gui/file/a6897d486e13b353f3543eb665a09fd562ceb2ecf574e28bb5a0527d42d1b39c/detection

C&C: http://baykuratti[.]site

Source: https://twitter.com/malwrhunterteam/status/1286233574023335938

Anubis banking Trojan

Added: 29.06.2020

Info: Traver permit document that allows citizens to travel. Targets Turkey.

Distributed: https://hesislemleri[.]com/HES.apk

Sample: https://www.virustotal.com/gui/file/6c3db02a803784285fab9183347666c310fc3df2ceacbbdc627412886f0356e0/detection

C&C: http://51.116.191.213

Source: https://twitter.com/malwrhunterteam/status/1276189703591604225

Ransomware CryCryptor

Added: 24.06.2020

Info: Ransomware app distributed via fake website impersonating Canada Covid19 tracing app

Distributed: https://covid19tracer.ca; https://tracershield.ca

Sample: https://www.virustotal.com/gui/file/faa0efaad40e78bf27ca529171aaf0551db998a276d4ff501209d1f5ef830dfb/detection

Source: https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/

Cerberus banking Trojan

Added: 22.06.2020

Info: Pandemia support for families because of Covid-19. 1000TL (~130e) AID support.

Distributed: http://vatandasdestek-tr-giris[.]com

Sample: https://www.virustotal.com/gui/file/5f8806f11d9280e76761a5a7aa142cb6c591a7e66a18a47887fc0cad022948f1/detection

C&C: http://akyuziletisim[.]me

Source: https://twitter.com/yusaerguven/status/1274963697329491969





Fake COVID-19 Contact Tracing Apps

Added: 11.06.2020

Source: https://www.anomali.com/blog/anomali-threat-research-identifies-fake-covid-19-contact-tracing-apps-used-to-monitor-devices-steal-personal-data

Cerberus banking Trojan

Added: 09.06.2020

Distributed: http://pandemidestek-sosyalser[.]com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/125fbe5a90be33d39a2221bc67a30a162d05c25bd8cec4c6d14ec71e87ece225/details

C&C: http://olaskas[.]com

Source: https://twitter.com/ReBensk/status/1270237582857773061

Cerberus banking Trojan

Added: 08.06.2020

Info: Fake web impersonates Italian INPS to compensate citizens financial loss (€600), but first, users have to install the app

Distributed: http://comunicazioneinps[.]top/acrobatreader.apk

Sample: https://www.virustotal.com/gui/file/e3d5668f7c804a42fd9797467c8867ad207c7589f4bb29e8ab735ffc11f89b80/detection

Source: https://twitter.com/malwrhunterteam/status/1269926011933798401

Ginp banking Trojan

Added: 08.06.2020

Info: Fake website impersonates Government of Spain, Ministry of Health to distribute Android banking Trojan

Distributed: http://kunnaporatta[.]xyz, http://guterrokilatto[.]xyz/

Sample: A350EF2889A8A243106388802EBAA1653DFE4685

C&C: http://cerealawfulstreetwidth[.]top; http://declinebeauty[.]top; http://elitesurroundfish[.]top

Source: https://twitter.com/ESETresearch/status/1269945115738542080

Anubis banking Trojan

Added: 02.06.2020

Info: Fake website mimics Google Play’s legitimate COVID19 tracking app

Distributed: https://covid19-googleplaystore[.]com/hayat_eve_sigar.apk

Sample: https://www.virustotal.com/gui/file/2b58774a2727842498fd2e67b1738621b820e54b31c55c0408d29be790c05d9f/detection

Source: https://twitter.com/malwrhunterteam/status/1267772385941491712

Cerberus banking Trojan

Added: 01.06.2020

Distributed: http://inps-it[.]top/acrobatreader.apk

Sample: https://www.virustotal.com/gui/file/477dc4c9885122b781d068195b110f4b88c5727bf5f569c27a42dc8fc4dd4559/detection

C&C: http://greedyduck[.]top

Source: https://twitter.com/malwrhunterteam/status/1266433507955539968

Cerberus banking Trojan

Added: 01.06.2020

Distributed: https://vatandas-sosyaldestek-onlinebasvuru[.]com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/d0dd6abef529601c6fbe04d7ed0de7c16d94e1ae8bd70e20ed88bdf16638751e/detection

C&C: http://stambuland2[.]site

Source: https://twitter.com/malwrhunterteam/status/1267381756640067585

Cerberus banking Trojan

Added: 27.05.2020

Distributed: https://cleanerforyou[.]pw/COVID19.apk

Sample: https://www.virustotal.com/gui/file/b8309cbbd739f0ae73ca7b1b6bd6e606e5799fa7f7cd16b70cc1aeb302b63dd2/detection

C&C: http://bestwine[.]xyz; http://elcamino[.]top

Source: https://twitter.com/ReBensk/status/1265496327078764550

Cerberus banking Trojan

Added: 24.05.2020

Distributed: http://covld19study[.]pw/covid19.apk

Sample: https://www.virustotal.com/gui/file/9fbb8057a5802aea4a09747b62f16a38527f1d937e1a69f1273c63847e8feb9b/detection

C&C: http://coolname[.]xyz/

Source: https://twitter.com/benkow_/status/1264309789590462467

Cerberus banking Trojan

Added: 23.05.2020

Info: แอปพลิเคชั่นใหม่ที่ช่วยให้คุณเข้าไปในร้านค้าได้อย่างปลอดภัยและอัพเดทคุณเกี่ยวกับสถานการณ์ covid-19. การแจ้งเตือนแบบเรียลไทม์เกี่ยวกับสถานการณ์ covid-19. (A new application that allows you to safely enter the store and update you about the covid-19 situation. Real-time notification about covid-19 situation)

Distributed: https://thai-chana[.]asia/Thaichana.apk

Sample: https://www.virustotal.com/gui/file/3e56fd55cef6b86c14b7d1a6aa316464f1e48dedf76913ad048061041b026f11/detection

C&C: http://alskdalksdlaksdjlaigpopoinojasg[.]info

Source: https://twitter.com/malwrhunterteam/status/1264219761505980417

https://twitter.com/ReBensk/status/1264218162289139715

Cerberus banking Trojan

Added: 22.05.2020

Info: “BDDK, tüm vatanşlara Kredi Kartı ve Hesab İşletim Ücretlerini İade Kararı Aldı.” (BDDK has decided to refund the Credit Card and Account Operating Fees to all citizens.)

Distributed: https://akbenimle[.]com/BDDK.apk

Sample: https://www.virustotal.com/gui/file/3e56fd55cef6b86c14b7d1a6aa316464f1e48dedf76913ad048061041b026f11/detection

C&C: http://papition[.]xyz

Source: https://twitter.com/malwrhunterteam/status/1263723942298046466

Anubis banking Trojan

Added: 19.05.2020

Info: 1498? (~200EUR) State Support for every family who download and apply in the application!

Distributed: https://1498tlsosyalyardimkampanyasi[.]com/PANDOMIDESTEK.apk

Sample: https://www.virustotal.com/gui/file/00d7ee8f902595f1e7174d257b57598c4e4cde57024c98089a0e3480e40161e7/detection

Source: https://twitter.com/yusaerguven/status/1262744738660102149

Cerberus banking Trojan

Added: 19.05.2020

Info: Pandemic Social Support Program. Please Install Our Application to Apply

Distributed: https://pandemisosyaldestek-onlinegov[.]com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/5e756bdc988c41f19b77c2601bdd3b7fc6d8dd92975f92d4953ebea077075d77/detection

Source: https://twitter.com/ReBensk/status/1262715917630242816

Anubis banking Trojan

Added: 19.05.2020

Info: 1498? (~200EUR) State Support for every family who download and apply in the application!

Distributed: https://saglikgovtr-destek1498tl[.]com/devlet_destegi_basvuru.apk

Sample: https://www.virustotal.com/gui/file/a3bd3698dfbfa9877cce33ebb5230e5212e8da104d524c04e6d910027564cafe/detection

C&C: http://dedelik[.]com

Source: https://twitter.com/ESETresearch/status/1262710932217769984

Trojan Spy

Added: 18.05.2020

Info: The goal is to steal personal data, including SMS messages, call logs, contacts, and more

Sample: https://www.virustotal.com/gui/file/bb1b70b7f6d8fc18e5a5fd743242836475bc6ad978780adec18a8f92c7e9cf89/detection

https://www.virustotal.com/gui/file/14609dc616d6889dd02a29051261bc36cb97f6608e51564fdcef5075cf6750d5/detection

https://www.virustotal.com/gui/file/adf46dc686d35a659a3cff76648c9c036dfc95167b9f4dcb7409dc79d92eb510/detection

https://www.virustotal.com/gui/file/9fdc84a3a0d3bc8545a9dec8e8fd5e762cb7cb763af9661aa77f94a459da6396/detection

Source: https://labs.bitdefender.com/2020/05/android-malware-in-covid-19-clothes-steals-sms-and-contacts/

Cerberus banking Trojan

Added: 18.05.2020

Info: Pandemic Social Support Program. Please Install Our Application to Apply

Distributed: https://e-devlet-sosyaldestek-gov[.]com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/bef4363e7caf7f4ef53230cdff89f2cef2220923eeffb665afd6273e2fe358ff/detection

C&C: http://odricatt[.]live

Source: https://twitter.com/malwrhunterteam/status/1262428000240402432

Cerberus banking Trojan

Added: 17.05.2020

Info: Pandemic Social Support Program. Please Install Our Application to Apply

Distributed: http://1000tlsosyaldestekodemesi[.]com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/a503407261c3add1e8edd5d878cdc9d0fadc3e9ccbb3f98c944a7f7109850799/details

C&C: http://odricatt[.]live

Source: https://twitter.com/ReBensk/status/1261955366616588288

Cerberus banking Trojan

Added: 15.05.2020

Info: Pandemic Social Support Program. Please Install Our Application to Apply

Distributed: http://sosyaldestek-basvrurukanali-gov[.]com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/0cf9aa1c20a073b79c867046748c77f08211bca86e9db523b6655e5e3b9a5acd/detection

C&C: http://odricatt[.]live

Source: https://twitter.com/ReBensk/status/1261150403879632896

Cerberus banking Trojan

Added: 14.05.2020

Info: Perform this self-assessment only if you think you have symptoms. Ministry of Health in Spain

Distributed: http://autoevaluacion[.]net/config.php

Sample: https://www.virustotal.com/gui/file/2fba972dc6737cc78e654ad87886108b466433b6955d05f6cd9514ec5e962afa/detection

Source: https://twitter.com/phishunt_io/status/1260908469881798657

Cerberus banking Trojan

Added: 14.05.2020

Info: Pandemic Social Support Program. Please Install Our Application to Apply

Distribution: https://basvurumerkezim[.]com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/e8ddbb8bbdd835dad4387f105a20ce44eeb8a2af7533e6e95c685ff391d014b9/detection

C&C: http://odricatt[.]live

Source: https://twitter.com/ESETresearch/status/1260875210707947521

Cerberus banking Trojan

Added: 14.05.2020

Info: Pandemi Sosyal Destek Programı

Başvurmak İçin Lütfen Uygulamamızı Yükleyin (Pandemic Social Support Program. Please Install Our Application to Apply)

Distribution: https://basvurumerkezim[.]com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/57056673df9342421000e5813e5294212a940dffb899e2ddadef518807ae9a7e/detection

C&C: http://lalese[.]tech

Anubis banking Trojan

Added: 14.05.2020

Sample: https://www.virustotal.com/gui/file/b8d245b62fdb7370aaef0133b62c25c3eb60d2d0f15d8170b2255c26d489a589/detection

C&C: http://yewax[.]net

Source: https://twitter.com/malwrhunterteam/status/1260817120687984640

Trojan Spy

Added: 13.05.2020

Info: Uzbekistan Trojan Spy

Sample: https://www.virustotal.com/gui/file/36b9037d612607be61c9b2fcea38c08b4da4ec505ebbcb21f005859ef5cba83d/detection

C&C: https://black-hole[.]xyz

Victims: ~92 devices

Source: https://twitter.com/ESETresearch/status/1260529906515161088

Cerberus banking Trojan

Added: 12.05.2020

Info: For each download of the app we donate €500.00 to the most needy.

Distribution: http://ministerodellavaro[.]net/pandemi.apk

Sample: https://www.virustotal.com/gui/file/9e3593ff09f5242e47b9bb5b78beedc9c5942d56e5a1c22ead5eaea149809af3/details

C&C: http://odricatt[.]live

Source: https://twitter.com/ReBensk/status/1260085218364452864

Cerberus banking Trojan

Added: 12.05.2020

Info: Pandemic Social Support Program. Please Install Our Application to Apply

Distribution: https://pandemibasvurumerkezi.com/pandemi.apk

Sample: https://www.virustotal.com/gui/file/b433cbc87d2203f691ad2476af641e0a46cfccf6e811faed3c29498223331dab/detection

C&C: http://odricatt[.]live

Source: https://twitter.com/malwrhunterteam/status/1260088792431591425

Cerberus banking Trojan

Added: 11.05.2020

Info: Pandemic Social Support Program. Please Install Our Application to Apply

Distribution: http://pandemidestek-gov[.]com

Sample: https://www.virustotal.com/gui/file/5efc3beb95aa24b575b8f57e1f09e47057b67e0635431785b6a7318fd2131433/detection

C&C: http://odricatt[.]live

Source: https://twitter.com/malwrhunterteam/status/1259772269850693632; https://twitter.com/ReBensk/status/1259771887598612487

Ginp banking Trojan

Added: 05.05.2020

Info: Watch video how to wear a mask but first download media player app.

Distribution: http://gigabetter[.]xyz/lander/land1/MediaPlayer.apk

Sample: https://www.virustotal.com/gui/file/26f6d6eecd66c45d4a0bce705d79dbd0e9edd87161b60422862e17254c12726f/detection

C&C: http://illegalvaguecomic[.]top

http://diarysuitepause[.]com

http://canvasfuture[.]top

Source: https://twitter.com/ReBensk/status/1257682578372300801

Nautilus-BOT v1.0 (Anubis banking Trojan)

Added: 05.05.2020

Info: Android bot – Nautilus-BOT v1.0 – based on Anubis 2.1 source code

Distribution: https://v-lert[.]com/apk/valert.apk (updated on May 01, 2020)

Sample: https://www.virustotal.com/gui/file/9c7b234d0d46169dcefb9f5b22c5df134b1a120b67666c071feaf97a6078d1a1/detection

C&C: http://old.mandamientos[.]ga

Source: https://twitter.com/LukasStefanko/status/1257693195556831232

Analysis: https://medium.com/@cryptax/reversing-v-alert-covid-19-android-bankbot-8809c7389f13

SLocker Trojan

Added: 05.05.2020

Info: “About Koronavirus” Android device locker

Sample: https://www.virustotal.com/gui/file/aaea4d646d4ee28ced9ca87e642b5e318597be7c8756ce9c14efdb9bcf1910a2/detection

Source: https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/

Cerberus banking Trojan

Added: 30.04.2020

Distribution: https://saglikgoalapp[.]site/files/covvidapp.apk

Sample: https://www.virustotal.com/gui/file/9ffda0c1e8e9e9c63c5219941f3f72f04ef8027b2ed8443498100df27e00b8b0/detection

C&C: http://teknoasaglik[.]online

Source: https://twitter.com/malwrhunterteam/status/1255561063464083466

Cerberus banking Trojan

Added: 23.04.2020

Distributed: http://saludetechno[.]de/files/Covid_Track.apk

Sample: https://www.virustotal.com/gui/file/bb1146c08e39e704dc50c81ba12169d0eede42c38fe9ea5eedae74952c75433a/detection

Source: https://twitter.com/ReBensk/status/1253277184325795840

XploitSPY spyware

Added: 21.04.2020

Info: Open-source spyware

Sample: https://www.virustotal.com/gui/file/2724049ed7dcd52722889d068898c8c6c2d7918f6073dd3b496483f7f2cf5c27/detection

C&C: http://covid-19zambia.herokuapp[.]com

Source: https://twitter.com/malwrhunterteam/status/1252515421972041728

Cerberus banking Trojan

Added: 21.04.2020

Info: Covin-19 != Covid-19 🙂

Distribution: https://technohealthco[.]com/Covin-19%20build_obf.apk

Sample: https://www.virustotal.com/gui/file/f7f4b6cef3bd087133cc5fe252708c308c3f0c45f6678902bf11239d291227a6/detection

C&C: http://indigojeans[.]top

Source: https://twitter.com/malwrhunterteam/status/1252502298091233280





Anubis banking Trojan

Added: 19.04.2020

Info: Active since 21.03.2020

Distribution: http://virus-covid[.]online/files/covidMappia_v1.0.3.apk

Sample: https://www.virustotal.com/gui/file/70439d393cca65ede64971d923ed61c0dd332dad5e2c31fdf8d225db1cf933e8/detection

C&C: https://files[.]ug

Victims: installed on 177 devices

Source: https://twitter.com/SmashTheKernel/status/1251893523902857216

Anubis banking Trojan

Added: 16.04.2020

Distributed: http://covid-saglikbakanligi[.]com/covid.apk

Sample: https://www.virustotal.com/gui/file/a10c79447dbd91c916528066c537c9f7a27ce0a0c663c2e67b44bd78083a961d/detection

C&C: http://192.243.102[.]56

Source: https://twitter.com/SmashTheKernel/status/1250777815416475653

AndoServer spyware

Added: 16.04.2020

Sample: https://www.virustotal.com/gui/file/c19cf001efb893cfb4f3aedb1c4c3771ce8419d3838e1bc399e88a12b583b28c/detection

Source: https://twitter.com/malwrhunterteam/status/1246413160086675456

Source: https://blog.lookout.com/nation-state-mobile-malware-targets-syrians-with-covid-19-lures

SpyMax spyware

Added: 15.04.2020

Info: Hosted on fake pharmacy web site

Distributed: https://pataraha[.]com/apps/downloads/covid_tz.apk

Sample: https://www.virustotal.com/gui/file/5f8ccc6d09ec22ea9430722d13dfcd4101a7e156b27fe0d517d30fd92b049032/detection

C&C: 40.114.11.110

Source: https://twitter.com/malwrhunterteam/status/1250412485808717826





Cerberus banking Trojan

Added: 15.04.2020

Info: Fake California Department of Public Health

Distributed: https://cdph-ca[.]us/download/COVID-19.apk

Sample: https://www.virustotal.com/gui/file/fccde7156aa9b25a14ed86985761f7015b813e5021e399750ac14bfcada83808/detection

C&C: http://horelkohiryfo[.]xyz

Source: https://twitter.com/ReBensk/status/1250369485468340225

Cerberus banking Trojan

Added: 15.04.2020

Distributed: http://coronaamap[.]com/EvdeKal.apk

Sample: https://www.virustotal.com/gui/file/2e2d6714cf98134ba3d0e983aa403b136c72e2b275ad9cbfb11de75cd2407542/detection

C&C: http://prospektus[.]best

Source: https://twitter.com/ReBensk/status/1248966957526851584

Project Spy Spyware

Added: 15.04.2020

Sample: https://www.virustotal.com/gui/file/29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d/detection

Source: https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/

Cerberus banking Trojan

Added: 14.04.2020

Distributed: https://evdekaltuekiyesaglik[.]com/benim_obf.apk

Info: #StayHome

Sample: https://www.virustotal.com/gui/file/48fc451066dfe21abe3d7a587c8bf04d5339ecf816323dbbc5df4e1430785a09/detection

C&C: http://subesizislemlercom[.]cf

Source: https://twitter.com/SmashTheKernel/status/1250095689545252866

Cerberus banking Trojan

Added: 14.04.2020

Distributed: https://coronaharitasicanli[.]com/files/covidMapv8.1.7.apk

Package name: com.ytnfrar.rtom

Sample: https://www.virustotal.com/gui/file/2b43af46398ece7b9e1e41bb7c2e2ff3ec227edb38283bea7622115bb76a7823/detection

C&C: http://lanadelrey[.]top

Source: https://twitter.com/malwrhunterteam/status/1249963221383098374

Cerberus banking Trojan

Added: 14.04.2020

Info: Fake web impersonates Italian INPS to compensate citizens financial loss (€600), but first, users have to install the app

Distributed: https://inps-informa[.]website/download/INSPCovid.apk

Sample: https://www.virustotal.com/gui/file/a9eaea748420a5f832a208b35be7107b5fef389a844c0659688466d3a8fd3eb6/detection

Source: https://twitter.com/ReBensk/status/1249326283470909440

Anubis banking Trojan

Added: 13.04.2020

Distribution: https://bitbucket[.]org/covidsoft/download/downloads/Covid_19.apk

C&C: https://www.rapmusicstyle[.]xyz

Source: https://twitter.com/ReBensk/status/1249645490192281601

Cerberus banking Trojan

Added: 11.04.2020

Sample: https://www.virustotal.com/gui/file/c6fe75dc589e33c8a110d3c53ce40ba597ef5d611d3cd040cc0c52dde5afb5f2/detection

Package: wxoxsdskdtbypbsuosalbycawl.xeoljzmrwlgdcrgltaghwsoiqfc.rhrunsudjuaipzjkhcnxuap

C&C: hxxp://goelerunote[.]pw

Source: https://twitter.com/malwrhunterteam/status/1248917821771350018

SpyNote Spyware

Added: 10.04.2020

Info: Fake WHO. تطبيق الفحص الذاتي لفيروس كورونا المستجد (Corona virus” self-examination application)

Distributed: https://www.anti-corona[.]app/COVID-19.apk

Sample: https://www.virustotal.com/gui/file/66b2afa384d97aee8256d1aee9f3c46bd6894d0f435aefb0755c82a67386f237/detection

Source: https://twitter.com/malwrhunterteam/status/1248661416791465984

Anubis banking Trojan

Added: 10.04.2020

Sample: https://www.virustotal.com/gui/file/7711f2515fa68fcb75459a90b9d0102569435cdfbaacb35b23828ab17d6a0987/detection

C&C: https://vor.ug/fullprivateanubis/login[.]php

Payload: E23D9F47130BE7C913EEC65DFFE494451A8435BE

Source: https://twitter.com/malwrhunterteam/status/1248521562191540225

Cerberus banking Trojan

Added: 09.04.2020

Info: #StayHome

Distributed: covid-19-saglikbakanligi.com; evdekalsagliktakal[.]com/Evdekal_obf.apk

Sample: https://www.virustotal.com/gui/file/068559092e689ea0d6000a76cb76d455f5405858517e55af9750ebbd7017ca4b/detection

Source: https://twitter.com/SmashTheKernel/status/1248230410015866881

Metasploit

Added: 09.04.2020

Info: Maliciously patched “CoronaVirus Map” app

Sample: https://www.virustotal.com/gui/file/bcbc7348f8750ec5628c22eb6bf3e003a1a0b5dda54488a87cfc71345d1be887/detection

Source: https://twitter.com/malwrhunterteam/status/1248159155875176448

Anubis banking Trojan

Added: 08.04.2020

Info: 20GB data free if you #StayHome

Distributed: http://evdekalhayatkurtar-tr[.]com/evdekal_20gb.apk

Sample: 36AAAE53E4252FCFAACB317F736C0D91668DF4C35F3887126067E8AC24F6BE2F

C&C: http://yildizmt2[.]com

Anubis and Cerberus banking Trojans

Added: 08.04.2020

Distributed: https://bitbucket[.]org/hazeljohnston58/new/downloads/Covid19MobileInstall_obf.apk

Sample: https://www.virustotal.com/gui/file/328a93f72ec14aa2a5852a862ea7cb2fb79c383ec2b08f328a8d864a687e11bc/detection

Sample: https://www.virustotal.com/gui/file/42c0c9207cdad76614cb795f22f20a80536c5c0f0bab5a3bcd8759db4609e179/detection

Sample: D1E8BC711CBF687C2F112FF54CFD1955FE805E44

C&C: http://194.58.92[.]30

Source: https://twitter.com/malwrhunterteam/status/1247827896808456193

Cerberus banking Trojan

Added: 06.04.2020

Info: Fake web impersonates Italian INPS to compensate citizens financial loss (€600), but first, users have to install the app

Distributed: https://inps-informa.online/download/COVID-19.apk

Package name: fzrz.jinnbu.nufpnllenanqtcusfqathiujdj

Sample: https://www.virustotal.com/gui/file/59cb2987a1c909e5c57a02e3a271324a9ca972d4d1a6632060eb5b908e41f9e7/detection

C&C: http://connectadsense[.]monster

Source: https://twitter.com/malwrhunterteam/status/1247190817577619463

Anubis banking Trojan

Added: 04.04.2020

Sample: https://www.virustotal.com/gui/file/a3cb5561e999bb1e02e1d4c707d8866f256dbb6b071bdc01e2397d3dda821960/detection

Package: mnbeinmjosknzhpwwqob.qadohwfjfrqxdwpzlz.bbd

C&C: https://www.vestna1975[.]xyz

Source: https://twitter.com/malwrhunterteam/status/1246425217234350082

Cerberus banking Trojan

Added: 04.04.2020

Distribution: http://covid19-apps[.]com/instalarapp/V-Alert_obf.apk

Sample: https://www.virustotal.com/gui/file/fe2fe4d6b6a26e33859caf3ea8bd606677df8322c07f375c2b1d442946d5c4bf/detection

Payload: D5931D09803E56EBCACD20036CFE2E5C038C3E4E

C&C: http://priscilliahelper[.]site

Source: https://twitter.com/ReBensk/status/1246374379639803905

Gnip banking Trojan

Added: 03.04.2020

Info: Simple interface shows the number of people infected with the coronavirus near you and urges you to pay a small sum to see the location of those people.

Sample: https://www.virustotal.com/gui/file/cdae640237fa190c62f0b1d89e504dc0d728e771026b241b1a549f9c8b6d57c0/detection

C&C: http://www.jumpbasicgatebread[.]top

Source: https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/





Patched and malicious Zoom Android apps

Added: 01.04.2020

Info: Current situation is not only linked to COVID19 threats in particular, but also apps that are related to changed situation for targeted employees working from home

Metasploit (patched Zoom Android app)

Package name: us.zoom.videomeetings

Sample: https://www.virustotal.com/gui/file/232ec4629458b1df0e3ef934365cd0cede498205409db31b4701223fa80c31bb/detection

Adware (patched Zoom Android app)

Package name: us.zoom.videomeetings

Sample: https://www.virustotal.com/gui/file/c0da7bc86f6b1be901ac0ebe893c13a31dc3fa7c3125b904e502ce2e48767d37/detection

HiddenAd

Package name: app.z1_android_421120320_app_original_file

Sample: https://www.virustotal.com/gui/file/ff8c2b4f6ced17cc21f9b9c2a2d3addd307fd0d46f67a3737be010e7712ce7ed/detection

Source: https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users/

Covid19 Tracker Apps

Added: 31.03.2020

Info: List of mobile apps created by government or police to track citizens.

Source: https://fs0c131y.com/covid19-tracker-apps/

Xerxes Bot

Added: 30.03.2020

Info: Remotely controlled banking Trojan with ransomware functionality

Sample: https://www.virustotal.com/gui/file/ad07d44d348185db08710d8cdef6b4cff3f52e5c8ce0646654cef441dea1e869/detection

Package name: cptbedyfutyryth.ggkimkmqmcoaaryu.qsygluabcdoutpomxgdfhtqamgf

C&C: http://newbot[.]ug

Payload: BBDD27E2EC52728930A920D8E926A8666DDC9F0D

Source: https://twitter.com/malwrhunterteam/status/1244549001879465985

AhMyth Spyware

Added: 30.03.2020

Info: Clean app that was available on Google Play has been patched with AhMyth spyware

Sample: https://www.virustotal.com/gui/file/cbbbd1a3eae287286ca6d28628d98c78c971964aa4a725c094a2f6ebf1061edc/detection

C&C: http://193.161.193[.]99:27229

Source: https://twitter.com/malwrhunterteam/status/1244575055595651073

Metasploit

Added: 30.03.2020

Info: Clean app that was available on Google Play has been patched with Metasploit downloader code

Sample: https://www.virustotal.com/gui/file/5fc70afc5eda6c0cbd33026c3b29a521708e18639fdb1ec4c1beec690f258210/detection

Package name: com.coronavirus.info

Source: https://twitter.com/malwrhunterteam/status/1244557909712928770

Joker

Added: 30.03.2020

Distribution (payload): http://coronavirus.oss-accelerate.aliyuncs[.]com/iFunGame

Distribution (payload): http://coronavirus.oss-accelerate.aliyuncs[.]com/YaraPhotoEditor

Sample: https://www.virustotal.com/gui/file/cd2c4489c03c303a14a448c3bedade4f188b754ef87baa22f25035e0a981b557/detection

Sample(dex): https://www.virustotal.com/gui/file/58b8c2256197c9786b0234a1e4f1e519beb319fb848769406112f2174194eb1e/detection

Package name: com.toolsforest.sdk_x4

C&C: http://3.123.204[.]12

Source: https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus/

HiddenAd

Added: 30.03.2020

Sample: https://www.virustotal.com/gui/file/449a67e03e05e2035b33fd253bee3f8bcf9c54c85e2bfde571e7e5d44ae485bb/detection

Package name: ir.corona.viruss

Source: https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus/

Adware

Added: 30.03.2020

Sample: https://www.virustotal.com/gui/file/379f7959d9edd1b04ad3e19dbc00e84fe7a4e8b7cfaf1558d421dce208f867ee/detection

Package name: com.rafaelastudio.diycutefiberglasssculpture

C&C: http://api.jetrohe[.]pw

Source: https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus/

Anubis banking Trojan

Added: 30.03.2020

Sample: https://www.virustotal.com/gui/file/dfb54d6c468271c73865d45e54b9dd942a18e716d608cf9233f1122cf79bab8c/details

Package name: com.turenak.ch

C&C: http://aymyapi[.]com

Source: https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus/

Anubis banking Trojan

Added: 29.03.2020

Distributed: https://v-lert[.]comgfhgf

Spread: twitter

Sample: https://www.virustotal.com/gui/file/6c90d561b580d6f1ae29998d4617567e7b45b91409322b687a65c98df6efacc2/detection

Source: https://twitter.com/m0br3v/status/1243822579196088320

C&C: http://aloproton[.]top

Payload: 6F426CE08FC8720A95F2A92B4C391A5E8A46D1A4

Cerberus banking Trojan

Added: 29.03.2020

Distributed: https://espana-mapa-virus[.]online/covid19_mapa_v1.0.3.apk

Sample: https://www.virustotal.com/gui/file/98338c83e7e89c0f913de151ffa6219504116561328a1bbede46f78d910137b4/detection

Source: https://twitter.com/malwrhunterteam/status/1243994899856470016

C&C: http://zeusland[.]uno

Payload: 118A9DF8B29452B2855EF7DED3E7814454E6C4AC

ProjectSpy Spyware

Added: 29.03.2020

Sample: https://www.virustotal.com/gui/file/29b0d86ae68d83f9578c3f36041df943195bc55a7f3f1d45a9c23f145d75af9d/detection

Source: https://twitter.com/malwrhunterteam/status/1243845995710099456

Analysis: https://twitter.com/virqdroid/status/1243858525744517120

Cerberus banking Trojan

Added: 27.03.2020

Distribution: https://halykhome[.]com/re/files/covidMappia_v1.0.3.apk

Sample: https://www.virustotal.com/gui/file/462e131e3b1b3e72f475374496bd6d0067fb271b78d25302f4798764e961e529/detection

C&C: http://mazar[.]tech/in

Source: https://twitter.com/c0d3inj3cT/status/1243264253265575936

Trojan downloader – Metasploit

Added: 27.03.2020

Sample: https://www.virustotal.com/gui/file/231ebeb3e4db4c98ae09c78676865df8e313214857d9019980c0fdacef5dbf4c/detection

Source: https://twitter.com/malwrhunterteam/status/1243277524345458699

AdoBot Spyware

Added: 26.03.2020

Distribution: https://morerishitravel.com/etc/Saudi-Health-Council/Coronavirus/saoudyhealth[.]apk; https://bit[.]ly/2H2WAsp; https://bit[.]ly/2tFiVcr

Sample: https://www.virustotal.com/gui/file/e2794482a495d01c1c9c244dc059f123d6d8cb3d024dfbb9864d7c80ab917da6/detection

C&C: https://appmessages.herokuapp[.]com

Source: https://twitter.com/malwrhunterteam/status/1243183224391708673

Analysis: https://twitter.com/LukasStefanko/status/1243198756981559296





Cerberus banking Trojan

Added: 26.03.2020

Distribution: http://c-ovid19[.]space/CovidTracker.apk

Sample: https://www.virustotal.com/gui/file/8e28ae16f571101f4029a04e3d10b759e32023dc8cee2076836051538dfef6a5/detection

C&C: http://situge[.]top

Source: https://twitter.com/ThreatFabric/status/1242815151532838912

Cerberus banking Trojan

Added: 26.03.2020

Distribution: https://covid19-güncelsalgınvakalar[.]com/files/covidMappia_v1.0.3.apk

Sample: https://www.virustotal.com/gui/file/1d3837e60b60bb3beca63ad04bd79d2fd91cc08d64b70f3063e6bd61873cde47/detection

C&C: http://ahf4ycvea439tt9rq[.]site

Source: https://twitter.com/malwrhunterteam/status/1243131750978592770

Anubis banking Trojan

Added: 25.03.2020

Info: 8GB gift to all who fights against COVID 19!

Distribution: https://www.betadanavantajlar[.]com/internet/

Sample: https://www.virustotal.com/gui/file/15b21f82ad091a4e6f8daff4a00851fdfb85c97457a2cb047beb466032f1f962/detection

C&C: http://kelimearaci[.]com





Trojan Downloader (Metasploit)

Added: 25.03.2020

Info: Coronavirus tracker app patched with malicious code

Sample: https://www.virustotal.com/gui/file/8da5aacc3ad93c1fc461acc3fc4d22f02596bdb7e3e6fbff8a6b8a447e3b6620/detection

Sample: https://www.virustotal.com/gui/file/75207868eeede268b57472560c75fcf5b249c17eae90587a3b730b148e1931e1/detection

Source: https://twitter.com/malwrhunterteam/status/1242436859973828608

Analysis: https://twitter.com/ESETresearch/status/1242834099267649536





Cerberus banking Trojan

Added: 25.03.2020

Distribution: https://covidapp-19[.]site/Covid-19tracker.apk

Sample: https://www.virustotal.com/gui/file/fe5c9cab4f91b621eac9cc9b95984bfc8263d4d8bf68120814777fd92b85188d/detection

C&C: http://bocend[.]top

Source: https://twitter.com/malwrhunterteam/status/1242768746734915584

Analysis: https://app.apkdetect.com/analyses/5e7b4441c7ef6b4c4f61beb0

Cerberus banking Trojan

Added: 25.03.2020

Distribution: https://canada-alert-covid19[.]com

Sample: https://www.virustotal.com/gui/file/604b3cd50ef3b0df46bcb07a1d2d0fad31f517f4ef541036d9f0161d3c69499b/detection

Payload: 5C4C7828EF69E217BFF85E1FD01DBD137FDDDD2F

C&C: http://ahf4ycvea439tt9rq[.]site

Source: https://twitter.com/1ZRR4H/status/1242593208879788033





HiddenAd

Distribution: www.shikapps[.]com/apps/corona.apk

Sample: https://www.virustotal.com/gui/file/7b2345371c31f0cc64c2d5373947c80cff4970144709e347ef5f367225df442e/detection

Anubis banking Trojan

Distribution: faceboook.beget[.]tech/data/CoronaTakip.apk

Sample: 20DCA983D70EAD10B8827649BF08F98899F470A4

C&C: http://185.180.198[.]209

Cerberus banking Trojan

Distribution: corona-apps[.]com/Corona-Apps.apk

Sample: https://www.virustotal.com/gui/file/93288d18a7b43661a17f96955abb281e61df450ba2e4c7840ce9fd0e17ab8f77/detection

Payload: 6A22EEA26C63F98763AA965D1E4C55A70D5ADF0E29678511CF303CB612395DF0

C&C: botduke1[.]ug

TG: t[.]me/botduke1

Source: https://blog.avira.com/cerberus-flies-under-covid-19-flag/

Anubis banking Trojan

Sample: https://www.virustotal.com/gui/file/4122370cfa03b49526f1b16950d62b2169fb9a211c87613953f5cbfd158f860f/detection

C&C: https://www.vor[.]ug

Analysis: https://app.apkdetect.com/analyses/5e791e94c7ef6b4c4f61be56

Cerberus banking Trojan

Distribution: http://bankia-sourced[.]com/corona/CORONA/

Sample: https://www.virustotal.com/gui/file/a2ed577839a8d5f6e5bf23b6e90d19af87a779cb4231a4a3afa84bb1481ba496/detection

C&C: http://marktwo[.]top

Analysis: https://app.apkdetect.com/analyses/5e791da2c7ef6b4c4f61be52

Source: https://twitter.com/malwrhunterteam/status/1242162180428095488

Cerberus banking Trojan

Distribution: https://covidapp-19[.]space/covid-19-tracker.apk

Sample: https://www.virustotal.com/gui/file/19b331b79cdd95a13b68ab5e8b4eb69102878fce1c81071cb7c17cbc24900c15/detection

Payload: 4E2DA0B5FC0DCB766BCC4D7031CE228F1828241E

C&C: http://bocend[.]top

Source: https://twitter.com/malwrhunterteam/status/1242108320179159042





SMS Worm

Distributed: http://codebeta[.]in

Sample: https://www.virustotal.com/gui/file/8a87cfe676d177061c0b3cbb9bdde4cabee0f1af369bbf8e2d9088294ba9d3b1/detection

Source: https://twitter.com/LukasStefanko/status/1241652041027588097

HiddenAd

Sample: https://www.virustotal.com/gui/file/4aa5ed58b4d7c5f6732a2edc97bff762c290ed7ccfc05f1f519e00e5922366fe/detection

Source: https://twitter.com/virqdroid/status/1241359337198583809

Analysis: https://www.apklab.io/apk.html?hash=4aa5ed58b4d7c5f6732a2edc97bff762c290ed7ccfc05f1f519e00e5922366fe

Cerberus banking Trojan

Distribution: https://corona-virusapps[.]com/

Sample1: https://www.virustotal.com/gui/file/a754c35dd09677b0b96d8a0dad5c9c5fdd28abd8cf2d8d38a9bd945ca8362e02/detection

Sample2: https://www.virustotal.com/gui/file/c3096b341d6807a5a7d353f97554017a6242349b081837de60908081bcada1d0/detection

Sample3: https://www.virustotal.com/gui/file/bca52647ce9f4900b754fcc0d8ef6329fb0229401e833534905969d10a82d839/detection

Payload: E83AF4BB3994DB7F07B04F3425CFC65EBB39883A

Payload2: B48D93A8FC0D4A1F92384183E98918FD0A80B271

Payload3: 7734A62EA735956ADEBDABEE98B63BE521CAB655

C&C: http://botduke1. ug

TG: https://t. me/botduke1

Source1: https://twitter.com/ReBensk/status/1241261949452615681

Source2: https://twitter.com/malwrhunterteam/status/1241301771600965632

Domain hosts three Cerberus variants

Cerberus banking Trojan

Distributed: https://coronavirus-informations .online

Sample: https://www.virustotal.com/gui/file/6bf7618c4dde7ed89245d1b352bf0301ed897612252038c44b9d03e8b49cbe61/detection

Payload: 47A3556B13587D8A0EE4A640EE9C1C6C

C&C: http://skakkiopiskattkio .info

TG: https://t. me/Kfoaksaof10293sbba

Source: https://twitter.com/malwrhunterteam/status/1240897160234831873

SMS Worm

Distributed: http://coronasafetymask. tk

Functionality: Spread itself via SMS to all your contacts with link to download this same app

SMS: “Get safety from corona virus by using Face mask, click on this link download the app and order your own face mask – hxxp://coronasafetymask.tk“

Sample: https://www.virustotal.com/gui/file/8a87cfe676d177061c0b3cbb9bdde4cabee0f1af369bbf8e2d9088294ba9d3b1/detection

Source: https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan

Metaspoloit

Sample: https://www.virustotal.com/gui/file/fec01862f14eaf236e9b685e4b79881c1f526808f5359124ef0459d55f15dbf8/detection

Source: https://twitter.com/malwrhunterteam/status/1240539304864231427

Commercial surveillance tools (MobiHok, SpyNote, SpyMax)

Source: https://blog.lookout.com/commercial-surveillanceware-operators-latest-to-take-advantage-of-covid-19

Samples: 30 hashes listed in source research

Cerberus banking Trojan

Distributed: http://covid19-guidelines .online

Sample: https://www.virustotal.com/gui/file/2a469268fb18f0b009dc5b2bdd47f9ed61f0a3a2de04ba39daccd08a13fb19b2/detection

Payload: FDB2F4EFA95DD8B5EAD7527C92F24542

C&C: http://skakkiopiskattkio .info

TG: https://t. me/Kfoaksaof10293sbba

Source: https://twitter.com/malwrhunterteam/status/1240233889832017921

APKLab.io filters COVID-19 malware (samples, hostnames)

Search COVID-19 apps: https://www.apklab.io/covid19

Source: https://twitter.com/apklabio/status/1239922724031680513

CovidLock Ransomware

Distribution: coronavirusapp. site; bitly. com/3aGBBbx

Sample: https://www.virustotal.com/gui/file/6b74febe8a8cc8f4189eccc891bdfccebbc57580675af67b1b6f268f52adad9f/detection

Decryption key: 4865083501

Ransom note: https://pastebin.com/GK8qrfaC

Source: https://www.domaintools.com/resources/blog/covidlock-mobile-coronavirus-tracking-app-coughs-up-ransomware



Figure 1. CovidLocker

Cerberus banking Trojan

Distribution: coronaviruscovid19-information .com

Sample: https://www.virustotal.com/gui/file/1de6e6c140ff1b301b7df12d4b6388a21a6fbf0f141347dd2f9289740438a6d8/detection

C&C: botprivate .ug

TG channel: t .me/JmdG5Mjagtpw587dJpT6tDbieSinwcno

Payload: 136A6A2CEA75FA627D14C93353613769B2EEEEEA

Source: https://twitter.com/skeptre_void/status/1239543414581936130

Figure 2. Cerberus Banking Trojan

Android RAT (Remote Administration Tool)

Sample: https://www.virustotal.com/gui/file/107169ae6951a5cba57d2a0cd274e28fadf5c73d73e91a386f15cf4dc35edd38/detection

C&C: assdsiwi.ddns .net

Payload: https://www.virustotal.com/gui/file/bcab89c43b0252d44a028c4fa46702c401663d70cf445d0b46c5e68ae3980b27/detection

Source: https://twitter.com/LukasStefanko/status/1239494265618694147

Figure 3. Android RAT

Metasploit

Samples: https://www.virustotal.com/gui/file/da8a58070bcad4977bddde113394d67c12fe551ec1395e040b0a8220265b036c/detection

https://www.virustotal.com/gui/file/c4500fd797bb6c5131bc89bb5bf24d06333df79581f2b8358103cad4c08e89d5/detection

Source: https://twitter.com/virqdroid/status/1238974151492349955

HiddenAd

Sample: https://www.virustotal.com/gui/file/fda00f16443a931f476c724d8b2cfb7311833bf5380038f221c5cf875dd20c4f/detection

Source: https://twitter.com/malwrhunterteam/status/1238733785744773121

Cerberus banking Trojan

Distribution: coronavirus-apps[.]com

Sample: https://www.virustotal.com/gui/file/9832b1ade1907849fd7091e85f2c24bd8a4488ecd96f0638fc979d8858b25196/detection

C&C: http://botduke1 .ug

TG: https://t .me/botduke1

Payload: 25B3D36D28C2F4FEF6C77DB8BDFE8E9B1B970657

Source: https://twitter.com/1ZRR4H/status/1239751485312970753

Figure 4. Cerberus Banking Trojan (source: Germán Fernández)

Cerberus banking Trojan

Distribution: https://covid19-info[.]online

Sample: https://www.virustotal.com/gui/file/f57a44bec2f7af2da443f068edb0a743f9625ac3a9d686393bacb8e72274b5de/detection

C&C: scargkanesiki. info

TG: https://t. me/agkakkkksdkaksd

Payload: https://www.virustotal.com/gui/file/ebcdce55f409e5c4ed10144749f5b82bf0d94e4ee715595aa4a267f05b05c301/detection

Source: https://twitter.com/malwrhunterteam/status/1239484525199179777

Anubis

Sample: https://www.virustotal.com/gui/file/889392ed44a613bb3618f6b9a05a663f801c9cd7086ff8d3d7531c3bc57d97be/details

C&C: http://update-apk .net

Targets around 210 banking apps

Source: https://twitter.com/malwrhunterteam/status/1239887832073875456

RAT (SpyNote)

Sample: https://www.virustotal.com/gui/file/ff08495132d83216fc29a4712d4757a17cd4416a6b7e85520cfb1e9ac11b374c/detection

Source: https://twitter.com/malwrhunterteam/status/1230091623901650945