My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2015-03-18

Virus description added:

This is a Trojan for Android that is attacking South Korean users. It is intended to remove a number of banking applications and replace them with fake versions as well as execute malicious commands issued by cybercriminals. This Trojan is an executable dex file for Android (Dalvik executable). It is launched by Android.MulDrop.46.origin, which can be distributed by attackers in the guise of legitimate software.

Communication with the command and control server and execution of cybercriminals' commands

To determine the IP address of the command and control server, Android.BankBot.35.origin connects to the following remote hosts:


Once connected to the command and control center, Android.BankBot.35.origin sends there the following information in JSON format:

  • the type of the mobile network;
  • the type of active Internet connection (mobile Internet or Wi-Fi);
  • the Wi-Fi signal level;
  • the information about a SIM card presence;
  • the user's phone number;
  • the battery charge level;
  • the IMEI;
  • the Trojan version;
  • the unique Trojan's ID;
  • the information requested on the command.

In return, the malware gets the list of controlling commands (also in JSON format). Once received instructions from cybercriminals, Android.BankBot.35.origin is able to perform the following:

  • Send SMS with a specific text to a specified number.
  • Enable or disable Wi-Fi.
  • Upload data from the phone book (including the phone numbers saved in the SIM card) to the server.
  • Download a specified dex file from the remote host and run it.

Replacement of legitimate banking applications

Every 90 seconds, the Trojan checks the availability of one of the following bank's applications on the mobile device:

  • com.kbstar.kbbank;
  • com.ibk.neobanking;
  • com.shinhan.sbanking;
  • com.kftc.kjbsmb;
  • com.smg.spbs.

If one of them is found, Android.BankBot.35.origin connects to a command and control server and downloads the appropriate fake version:

http://[xxx].[xxx].245.166:6545/ *pk_name*.apk is the name of the malicious fake banking program. Thus, the Trojan may download the following applications (detected as Android.MulDrop.46.origin):


Once downloaded the necessary software, Android.BankBot.35.origin prompts the user to install a supposedly new version of the banking program:


With the user's consent the Trojan removes the legitimate program and installs the bogus one.

Publishing additional components

Additional dex files, downloaded by the Trojan, are run by Android.MulDrop.46.origin. To do this, the similar method, that is applied to launch Android.BankBot.35.origin, is used (applying the DexClassLoader class, so the user is not involved in this process).

Blocking of SMS messages

Android.BankBot.35.origin is able to block and intercept SMS messages from certain phone numbers. Information on these numbers is in the Trojan's black list.

Self-Protection Mechanism

Android.BankBot.35.origin incorporates the feature of self-protection. Every 2 seconds (for Android.BankBot.36.origin—every 0.2 seconds) the malware checks whether the following applications are active:

  • com.estsoft.alyac.ui (popular South Korean anti-virus);
  • packageinstaller.UninstallerActivity (System applications management tool);
  • *.DeviceAdminAdd (interface for managing the mobile device administrators).

If at least one of them starts, Android.BankBot.35.origin returns the user to the home screen:

if(v3 != 0 || v4 != 0 || v5 != 0) {
     Intent v2 = new Intent("android.intent.action.MAIN");

This self-defense is not active if the user does not provide the Trojan with mobile device's administrator privileges, or if at least one legitimate banking application, that Android.BankBot.35.origin did not manage to fake, is still installed.

News about the Trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies