Banking malware on Google Play targets Polish banks

Another set of banking Trojans has found its way past Google Play’s security mechanisms, this time targeting a number of Polish banks. The malware managed to sneak into Google Play disguised as seemingly legitimate apps “Crypto Monitor”, a cryptocurrency price tracking app, and “StorySaver”, a third-party tool for downloading stories from Instagram.

Besides delivering the promised functionalities, the malicious apps can display fake notifications and login forms seemingly coming from legitimate banking applications, harvest credentials entered into the fake forms, as well as intercept text messages to bypass SMS-based 2-factor authentication.

The same trojan, only under a different disguise, was recently spotted on Google Play by researchers at RiskIQ, who published their analysis of the threat in a November 9 report.

The malicious apps

The first of the malicious apps we came across, “Crypto Monitor”, was uploaded to the store on November 25, 2017 under the developer name walltestudio. The other app, “StorySaver” with the developer name kirillsamsonov45, appeared on Google Play on November 29.

Together, the apps had reached between 1000 and 5000 downloads at the time we reported them to Google on December 4. Both apps have since been removed from the store.

Polish banks

Figure 1 – The malicious apps discovered on Google Play

After the malicious apps are launched, they compare the apps installed on the compromised device against a list of targeted banking apps – in this case, the official apps of fourteen Polish banks (the list of specific banking apps can be found at the end).

If any of the fourteen apps are found on the device, the malware can display fake login forms imitating those of the targeted legitimate apps. This may happen without any action on the user’s side, or after the user clicks on a fake notification displayed by the malware, seemingly on behalf of the bank.

Polish banks

Figure 2 – Fake notification displayed by the malicious “StorySaver” app


Polish banks

Figure 3 – Left: Fake login form; Right: legitimate login form

ESET’s security systems detect the threat as Android/Spy.Banker.QL and prevent it from getting installed.

ESET telemetry shows that 96% of the detections come from Poland (the remaining 4% from Austria), apparently due to local social engineering campaigns propagating the malicious apps.

How to stay safe

The good news is that this particular banking malware doesn’t use any advanced tricks to ensure its persistence on affected devices. Therefore, if you’ve installed any of the above described malicious apps, you can remove them by going to Settings > (General) > Application manager/Apps, searching for either “StorySaver” or “Crypto Monitor” and uninstalling them.

The bad news, however, is that if you have installed one of the apps on a device on which you use any of the fourteen targeted banking apps listed below, the crooks might already have access to your bank account. We advise you to check your bank account for suspicious transactions and seriously consider changing pin codes.

To avoid falling prey to mobile malware in the future, make sure to always check app ratings and reviews, pay attention to what permissions you grant to apps, and use a reputable mobile security solution to detect and block latest threats.

Targeted banking apps

App name Package name
Alior Mobile
BZWBK24 mobile pl.bzwbk.bzwbk24
Getin Mobile com.getingroup.mobilebanking
IKO pl.pkobp.iko
Moje ING mobile
Bank Millennium
mBank PL pl.mbank
BusinessPro pl.bph
Nest Bank
Bank Pekao eu.eleader.mobilebanking.pekao
PekaoBiznes24 eu.eleader.mobilebanking.pekao.firm
plusbank24 eu.eleader.mobilebanking.invest
Mobile Bank eu.eleader.mobilebanking.raiffeisen
Citi Handlowy com.konylabs.cbplpat


Polish banks

Figure 4 – Icons of the targeted banking apps


Package NameHashPhishing server

Special thanks to Witold Precikowski for bringing one of the malicious apps to our attention.

Author Lukas Stefanko, ESET

Follow us

Copyright © 2018 ESET, All Rights Reserved.