Unmasking Tsarbot: A New Android Trojan Targeting Banking & Financial Apps Worldwide

TsarBot is a sophisticated Android banking trojan discovered by Cyble in March 2025. This malware targets over 750 apps across banking, finance, crypto, e-commerce, and social media sectors. It employs advanced overlay attacks, screen control, and lock grabbing mechanisms to steal sensitive information and execute fraudulent actions on infected devices.

Severity Level: High

THREAT DETAILS

1. TsarBot spreads via phishing sites disguised as legitimate platforms offering financial services. These sites prompt victims to download a dropper that installs the malware.
2. Overlay Attacks: TsarBot injects fake login pages over legitimate banking and financial apps. It prompts users to enter their credentials, which are then stolen by the malware.
3. Remote Control: The malware can take control of the victim’s device remotely, simulating actions like tapping, swiping, and typing while hiding the fraudulent activities behind a black overlay screen.
4. Keylogging: TsarBot records the victim’s keystrokes, capturing sensitive data such as usernames, passwords, and credit card details.
5. Lock-Grabbing: The malware can simulate lock screens to grab PINs, passwords, or patterns, gaining access to the victim’s device lock.
6. SMS Interception: TsarBot intercepts SMS messages to potentially capture two-factor authentication (2FA) codes and other sensitive information.
7. Command and Control (C2): TsarBot establishes a WebSocket connection with its C2 server at IP 95.181[.]173.76. It uses various ports for different tasks like receiving commands, sending captured data, and controlling the device remotely.
8. Exfiltration: The stolen data (e.g., credentials, credit card info) is sent to the C2 server over port 9030.
9. Persistence: TsarBot maintains persistence on infected devices by hiding its icon and masquerading as Google Play Services to avoid detection.

Recommendations:

1. Ensure that Google Play Protect is enabled on Android devices.
2. Always download apps from official app stores such as Google Play Store or Apple App Store.
3. Avoid downloading apps from third-party or untrusted sources, as TsarBot is often distributed through phishing websites masquerading as legitimate platforms.
4. Carefully review app permissions, especially for apps requesting access to Accessibility services. TsarBot exploits this permission to gain control over the device, so restrict unnecessary access and only grant the permission to trusted apps.
5. Use secure lock screen methods such as PINs, passwords, or biometric authentication to prevent unauthorized access to devices.
6. TsarBot uses WebSocket connections to communicate with its C2 server. Monitor network traffic for unusual WebSocket activity, especially on ports 9001, 9002, 9004, and 9030.
7. Deploy a reputable mobile antivirus or endpoint security solution that can detect and block known banking trojans, including TsarBot, and provide real-time protection against phishing attempts.
8. Conduct regular scans on mobile devices for malicious apps or unusual behavior, such as unexpected background activities or network connections.
9. Conduct training to raise awareness about phishing sites and social engineering tactics used to distribute TsarBot. Ensure users understand how to identify suspicious links, especially in unsolicited emails or SMS messages.
10. Promote the use of multi-factor authentication (MFA) for all financial applications and sensitive accounts to mitigate credential theft.
11. For enterprise environments, deploy an MDM solution to control and manage app installations, app permissions, and access to corporate resources.
12. Ensure that all devices, applications, and operating systems are up to date. Apply security patches promptly to reduce the risk of exploitation.
13. Block the IOCs at their respective controls.

SOURCES:

• https://www.virustotal.com/gui/collection/b71a152f76524f375b5ea0f06dd399846f1d55c5be98abc7d1a101c67388a58d/iocs
• https://cyble.com/blog/tsarbot-using-overlay-attacks-targeting-bfsi-sector/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.