Malware descriptions

Fake WeChat – New Trojan-Banker

Nowadays, Internet financial services are growing rapidly. More and more online financial services are accessible from mobile devices. This helps customers and boosts economic development. Mobile apps are exploring this new frontier, including password-protected payment services among other popular features such as messaging. For criminals, this offers a new opportunity to steal sensitive information and get hold of other people’s cash.

WeChat is a famous mobile instant messenger in China. It’s most often used by people chatting with their friends and colleagues, and it also allows users to make payments. It’s very easy to use, but it means you have to tie your bank details to your messenger account. WeChat’s huge market share also makes it a tempting target for criminals, who are developing Trojan-bankers to mimic it.

Recently Kaspersky Lab intercepted a new Trojan-Banker like this. It was detected as Trojan-Banker.AndroidOS.Basti.a. This android app is disguised as a normal WeChat app on the phone.


It requests some sensitive privileges, such as android.permission.RECEIVE_SMS.


The author of the Trojan wanted to prevent analysts from reverse engineering the code, so it is encrypted with ‘bangcle secapk’. We couldn’t get any useful information out of this encrypted sample.


After decoding the sample, we saw its true colors. It is capable of many types of malicious behavior. There are also some packages to make its GUI look more professional, which in turn makes it a more potent phishing tool.


When executed it opens a special GUI to let users input their bank related information, including bank card number, PIN code and mobile phone number.



After gathering all this information, it sends them to the Trojan author’s email.


This Trojan-Banker also registered a BootReceiver. It will monitor newly received text messages and uninstall broadcasts from the infected mobile. These are also sent to the Trojan author’s email.



The author’s email address is plaintext in the code. So we can go further.


When we saw the mailbox, we found lots of victims.


Although it is blocked by 126 email servers, information belonging to many victims has already been stolen and stored in the archive.


As online financial services get more and more popular we need to take even more care of our privacy. Mobile users are already under threat, and we have to take steps to protect ourselves. We advise you to:

  • Install mobile security software.
  • Be sure to update the software’s databases to the latest version.
  • DO NOT visit any suspicious websites or download unfamiliar apps.
  • Before you enter any sensitive information, make sure you know who is asking for it, and why.


Fake WeChat – New Trojan-Banker

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox