IBM X-Force research recently analyzed a new Android banking Trojan that appears to be targeting users in countries that speak Spanish or Portuguese, namely Spain, Portugal, Brazil and other parts of Latin America. This Trojan, which was created atop an existing, simpler SMSstealer.BR, was supplemented with more elaborate overlay capabilities. That portion of the malware was coined “Banker.BR”.

At this time, the malware is being spread by messages that lead users to a malicious domain controlled by the attackers. Users are told that they need to download the most recent version of a supposed security app required for mobile banking. If they click to download the update, they unwittingly launch the download from a legitimate file sharing platform.

Since this app downloads from a third-party source, an action not authorized by default on Android devices, a note shown to the potential victim instructs them on how to enable side-loading through the device’s Settings menu.

Figure 1: New banking malware asks users to enable side-loading

In its current state, this malware can enable phishing via an overlay attack, thereby stealing users’ online banking credentials, it can allow the attacker to take over users’ bank accounts, and it can enable the theft of two-factor authentication (2FA) codes sent via SMS. These elements can help attackers complete fraudulent transactions from victims’ bank accounts.

A New Codebase

According to our analysis, Banker.BR’s code is entirely new and does not rely on previously leaked code or existing mobile malware. While our team has seen earlier versions of this Trojan, which only featured a basic SMS stealer, this blog focuses on the new, and more elaborate, feature of the overlay malware capability — a tactic common to most Android banking malware.

At first, this malware was only able to steal SMS messages, and attackers using it likely obtained user credentials from other sources, such as phishing attacks and underground credential vendors. As it evolved, it added the overlay attack feature to bring the phishing phase into the infected device as well.

While it has the same capabilities as other malware in this class, it lacks the ability to pull overlay images from its command-and-control (C&C) server in real time, calling on embedded screens in its own resources on the device, which is less agile than methods used by other malware.

While most apps are implemented in the Java/Kotlin programming languages, which are part of the Android studio development essentials platform, Banker.BR’s is programmed in the B4X programming language. B4X is a modern version of Visual Basic that’s part of a suite of rapid integrated development environments (IDEs) used in the creation of applications for Android and iOS operating systems. It is not often used in the creation of malware apps.

Lack of Anti-Research Features

We noticed some features that are not presently a part of this malware’s overall deployment:

  • The malware is not packed or obfuscated, making it easier to reverse-engineer, although the use of a niche IDE does create overhead code that can be more challenging to reverse.
  • Unlike similar malware, before installing on the device, this new Trojan does not verify whether it is being run in a virtualized environment or check if it is being debugged. In that sense, it lacks anti-research features, which makes it easier to analyze.
  • We have not been able to find any proxy capabilities or any call manipulation features.

Establishing Persistence

Persistence on the device is established by using a receiver with a broadcast. The receiver is an Android component that allows apps to register for notifications about system and app events. In this case, the malware app registers to be notified about the ACTION_BOOT_COMPLETED system event, which is sent out once the system completes a new boot process.

When the notification arrives, the malware runs itself without the user’s intervention.

Malicious Permission Granting

Banker.BR abuses the Accessibility service to grant itself the permissions it requires without asking the user and without the victim’s knowledge. This is achieved by programmatically clicking the “Allow” button on system screens that request the user to allow or deny runtime permissions.

The malware does this faster than a human can, thus not giving users a chance to react or to deny the malware from receiving the permissions it asks for. Banker.BR can further grant itself additional permissions once it has allowed the initial ones.

Figure 2: Auto approval of permissions

The permissions sought by this malware include:

  • Read phone state
  • Camera access
  • Read contacts
  • Read and receive SMS
  • Write to external storage

Figure 3: Banker.BR permission list

Exfiltrating Device Information and SMS Content

After installation, the malware collects some device information and sends it to the attacker’s C&C, which is a domain address hardcoded into the malware. This information includes the following:

  • Phone number
  • International Mobile Equipment Identity (IMEI)
  • International Mobile Subscriber Identity (IMSI)
  • SIM Serial Number (SSN)
  • Unique Bot ID randomized by the malware for each device

When active, the malware can also steal and exfiltrate SMS messages, which allows it to grab 2FA codes sent to the user by their bank or other service providers. The malware registers a receiver to handle newly received SMS (SMS_RECEIVED) on runtime, and not in Manifest, which enables the malware to keep this function invisible to the user.

Figure 4: Banker.BR SMS control

Active in the Background and Taking Action on Trigger

Banker.BR remains silently active in the background of a device, monitoring the applications the user opens as it awaits a target app to be launched.

Abusing the Accessibility service on the device, a relatively common way for Android malware apps to keep tabs on which app is running in the foreground, it waits for a match with the goal of launching overlay screens at the right time and context to fool the user into tapping their credentials into the overlay.


Figure 5: Malware awaits targeted apps to be launched

This is achieved by listening for onaccessibilityevent and event type TYPE_WINDOW_STATE_CHANGED, which would mean that the user’s interface had changed.

Next, the malware calls the function _acs_onactivitynameretrieved, which will verify if the activity’s name matches one of its targets. If a match is detected, the malware will call on the corresponding overlay screen to match that bank app’s look and feel.

Figure 6: Banker.BR targeted apps with bank names blurred (Source: IBM X-Force)

The overlay screen would typically feature the bank’s logo and ask for the user’s sign-in credentials.

Unlike other malware in this class, the overlay screens are embedded into the malware and not retrieved from the attacker’s C&C server in real time. This is a less agile method that does not allow for on-the-fly updates to fake screens but rather requires a malware update to deliver changes. It also exposes all the available screens to outsiders analyzing the malware.

Figure 7: Sample overlay screen requiring the user to enter their account sign-in credentials


At this time, the targets we have observed for this new malware are focused on banks in Brazil. In some cases, major banks targeted by this app also operate in other parts of the world, namely Spain, Portugal and across Latin America, which could be indicative of the attackers’ current location or origins.

Malware of this type is extremely simple to redirect to other regions by changing the target list and embedded screens, thereby modifying its attack turf and potential targets. It can target banks but can also be used to target the user credentials of any other app on the device or for stealing payment card data under the guise of a Google Play store request.

Continued Development

IBM X-Force researchers note that Banker.BR is seeing continued development with new screens being added for additional targeted banks and expected code enhancements in the coming months.

To keep up to date on further analysis and emerging threat intelligence, read our Security Intelligence blogs and join us on X-Force Exchange.

Indicators of Compromise (IoCs)

SHA-256 of earlier versions — SMS stealer only


SHA-256 of later versions — complete overlay malware


More from Endpoint

Combining EPP and EDR tools can boost your endpoint security

6 min read - Endpoint protection platform (EPP) and endpoint detection and response (EDR) tools are two security products commonly used to protect endpoint systems from threats. EPP is a comprehensive security solution that provides a range of features to detect and prevent threats to endpoint devices. At the same time, EDR is specifically designed to monitor, detect and respond to endpoint threats in real-time. EPP and EDR have some similarities, as they both aim to protect endpoints from threats, but they also have…

The needs of a modernized SOC for hybrid cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

X-Force identifies vulnerability in IoT platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…