In July 2023 [1] [2] [3] [4], a campaign targeting major Iranian banks was discovered by security researchers. This campaign involved an Android mobile banking Trojan that has evolved with enhanced features and capabilities.


The Trojan is capable of stealing banking login credentials, credit card information [1] [2] [3], and intercepting SMS for one-time password codes [1] [2] [3]. It can also hide app icons. Researchers have identified 245 new app variants associated with the same threat actors [1] [2] [3], with 28 of them remaining undetected by industry-standard scanning tools [1] [2] [3]. Additionally, the malware has shown an interest in collecting information about cryptocurrency wallet applications [1] [2] [3]. The second iteration of the malware introduced new capabilities [1] [2] [3], including overlay attacks and auto-granting of SMS permissions [1] [2] [3]. It is crucial to prioritize runtime visibility and protection for mobile applications. Evidence has also been found linking the threat actor to phishing attacks targeting the same banks [4].


The discovery of this Trojan campaign highlights the need for increased security measures in the banking sector. It is essential to implement robust protections to prevent the theft of sensitive information and to detect and mitigate potential threats. The evolving capabilities of this malware serve as a reminder of the constant need for vigilance and adaptation in the face of cyber threats.