My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2015-06-11

Virus description added:

A Trojan targeting Android mobile devices. It is distributed in the guise of an official Sberbank Online mobile application. Although this program has been modified by cybercriminals, it operates like its original version. The malicious copy can be downloaded from various software catalogues and file-sharing resources. The main purpose of this program is to steal money from users' bank accounts.

The AndroidManifest.xml file of the modified version has been changed as follows:

<service android:name="ru.sberbankmobile.crb17s" />
<receiver android:name="ru.sberbankmobile.crb17r">
   <intent-filter android:priority="1000">
      <action android:name="android.intent.action.BOOT_COMPLETED" />
      <action android:name="android.provider.Telephony.SMS_RECEIVED" />

Once it is launched, Android.BankBot.65.origin generates an encrypted configuration file with the name crb17.hex containing the Trojan's settings. The file has the following parameters:

  • interval—time interval between requests sent to the server,
  • time, intervalUpdate, intervalSend—values that define the time when each connection session is established,
  • timeSend, intervalSms, timeSms—values that define the time of sending an SMS message,
  • nomera, texts—values for phone numbers and texts to be sent to several contacts,
  • QIWI—package name of the corresponding application,
  • urls—command and control server's address,
  • indNUMBER, indTEXT—values to be used to send an SMS message to one contact,
  • parser—list to be used to parse incoming messages for some specific text (if an SMS containing this text is found, it is forwarded to the server),
  • putTEXT, putNUMBER—parameter for planting a specified SMS message into the list of incoming texts,
  • delQUERY—parameter to be used to delete a specified SMS from the list.

Next, the Trojan generates a POST request containing the following information:

  • IMEI
  • Mobile network operator
  • MAC address of the Bluetooth adapter
  • Data on availability of QIWI Wallet
  • API version of the device
  • Trojan's version
  • Trojan's package name
  • Currently executed command

If Android.BankBot.65.origin receives the “hokkei” command from the remote host, it sends an encrypted list containing the user's contacts to the server and updates the configuration file upon cybercriminals' command.

Due to the fact that the Trojan can stealthily send and intercept SMS messages, cybercriminals can steal money from users' bank accounts. Moreover, Android.BankBot.65.origin can be used for implementation of other fraudulent schemes. For example, the malware can plant an SMS message with a specified text into the list of incoming texts.

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android