New Android Malware “TsarBot” Targets 750+ Financial and Crypto Apps
Published:
A dangerous new Android malware called TsarBot is putting users at serious risk by targeting more than 750 apps around the world.
These include mobile banking apps, cryptocurrency wallets, e-commerce platforms, social media, and payment services. Security researchers say it represents a serious advancement in mobile cyber threats.
How TsarBot Infects Devices
TsarBot is spread through phishing websites that mimic real financial and crypto platforms. In one example, attackers created a fake version of the Photon Sol trading site that offered an app download—something the real site doesn’t do.
Once downloaded, the malware installs itself through a dropper disguised as a Google Play Services update.
Fig 1. An example of a phishing site that downloads TsarBot. Source: Cyble
After the user installs the fake app, they are prompted to enable Android Accessibility services. This is a critical step that allows the malware to monitor and control the device.
It then opens a connection with the attackers’ command-and-control (C&C) server that lets TsarBot send and receive commands in real time while staying hidden.
What TsarBot Can Do
Once installed, TsarBot carries out a wide range of malicious activities. One of its primary techniques is the overlay attack. When a targeted app—like a banking or crypto app—is opened, TsarBot places a fake login screen over it.
Unsuspecting users then enter their sensitive information directly into the malware, which sends the data back to the attackers.
Fig 2. One of the fake bank login pages. Source: Cyble
The malware is capable of screen recording, intercepting SMS messages, logging keystrokes, and detecting which apps are installed on the device. When it finds a match with its target list, it pulls a fake login page from the C&C server.
After successfully stealing the data, it removes that app from its active list to avoid repeated attacks that might raise suspicion.
It can also detect the type of device lock (PIN, password, or pattern) and then launch a fake lock screen to capture that credential as well. Once this is obtained, the attackers gain complete access to the device, allowing them to perform actions like making fraudulent transactions—all while covering the screen with a black overlay to hide the activity.
How to Stay Protected
To protect against threats like TsarBot, users should avoid downloading apps from unofficial websites and only install apps from trusted sources like the Google Play Store.
It’s also critical to enable Google Play Protect, use strong and unique passwords, turn on two-factor authentication, and be cautious when opening links from emails or SMS messages. Regular updates to the device’s operating system and apps can also close known vulnerabilities.
TsarBot’s combination of overlay attacks, lock grabbing, and screen control makes it a particularly dangerous threat, underscoring the need for constant vigilance against mobile phishing and malware campaigns.
Sophia is a Senior Content Manager at Certo Software, showcasing her deep-rooted expertise as an accomplished writer in the tech industry. With a genuine passion for cybersecurity, Sophia is a trusted source of insight and information.