Our Investigation of Android Banking Trojans Targeting the Middle East

This blog summarises our latest investigation into Android banking trojan campaigns targeting financial institutions across the Middle East. For the full threat intelligence findings, actor attribution, 222 validated indicators of compromise, and defensive guidance, get in touch with our team.

What did CybelAngel’s REACT team find?

Over the past several months, CybelAngel’s REACT team investigated a surge in Android banking trojan campaigns targeting financial institutions across the Middle East. The investigation identified 222 indicators of compromise — including malicious domains, command-and-control IP addresses, JA3 fingerprints, and APK file hashes — across multiple active malware families.

The scale of the broader campaign is significant. Approximately 255,000 new malicious Android banking APK packages were identified in 2025, a 1.5x increase year-over-year and a several-fold surge on the 2022 to 2024 baseline. Over one million user accounts were compromised by infostealers globally in the same period. The proportion of Trojan-Banker and Trojan-Spy applications in the overall mobile malware mix tripled between 2022 and 2025, indicating a deliberate shift toward higher-impact, more targeted payloads.

The Middle East sits at the centre of this shift. Our team found confirmed banking brand impersonation active on at least three unofficial app store platforms — Aptoide, LDPlayer, and APKPure — with samples matching malware families attributed to known threat actor groups. Listings spanned the UAE and Pakistan.

How the attack works

Every campaign our team investigated followed an identical six-stage sequence.

1. Delivery: A fake Chrome or Google Play update prompt is served to the victim’s Android device, conditionally targeted by geolocation and User-Agent to avoid automated detection.
2. Disguise: The malicious APK replicates the full metadata of a legitimate app, including package name, icon, and version string, to pass visual and basic automated inspection.
3. Installation: The user sideloads the app. On Android 13 devices, the Brokewell Android Loader bypasses Restricted Settings by spoofing the Play Store install flow, making fully-patched devices vulnerable.
4. Permission grant:The app requests Android’s Accessibility Service. Once granted, that single permission unlocks every subsequent capability with no further interaction from the victim required.
5. Vol d'identité:The malware renders invisible overlay screens on top of legitimate banking apps to harvest usernames, passwords, and card details, while intercepting SMS one-time passwords in real time.
6. On-Device Fraud:The attacker initiates fraudulent transactions directly from within the victim’s authenticated banking session via remote VNC control, defeating device fingerprinting, IP reputation checks, and behavioural anomaly detection.

From that point, the malware renders invisible overlay screens on top of legitimate banking apps to harvest credentials, intercepts SMS one-time passwords in real time, and initiates fraudulent transactions directly from the victim’s device. This is On-Device Fraud (ODF). It defeats device fingerprinting, IP reputation checks, and behavioural anomaly detection, because the transaction originates from within the victim’s own authenticated session.

Anti-removal logic built into several of the families our team investigated detects uninstall attempts and dismisses them automatically. The Accessibility Service permission re-grants itself. The attacker remains persistent on the device until the victim explicitly revokes the permission through system settings.

The families behind the campaign

Our investigation covered five primary malware families with confirmed or likely UAE targeting, alongside a broader landscape of families operating at scale across the region. The table below summarises what we found.

Famille	Lure	Key capability	Pricing	UAE targeting
PhantomCall	Fake Chrome update	Credential harvesting, OTP interception	Not public	Confirmed — top 2 target, surge Jun–Jul 2025
AntiDot	Fake Google Play update	Overlay engine, keylogger, VNC, SMS interceptor	Not public	Confirmed — parent of PhantomCall
AppLite Banker	Fake Chrome / TikTok / CRM app	Corporate HR targeting, VNC, USSD	Not public	Corporate / HR targeting confirmed
Brokewell	Fake Google Play update	50+ ODF commands, session cookie theft, Android 13 bypass	Not public	Global, shared code with Herodotus
Albiriox	Fake Google Play Store	Dual-mode VNC, SMS interceptor, 82-language anti-removal	$1,300–$1,420/month	MaaS scale, no confirmed UAE targeting

These families are available on underground forums as Logiciels malveillants en tant que service (MaaS). Albiriox was listed at between $1,300 and $1,420 per month, including operator panel, dropper, and support. Brokewell’s Android Loader dropper is sold separately as shared infrastructure, adopted across multiple unrelated families. Because multiple operators build near-identical APKs from the same leaked codebases, actor-based attribution has become increasingly unreliable as a basis for defensive prioritisation.

One family, Octo2, uses a domain generation algorithm pre-seeded with 268 domains in MD5-format hex strings, eliminating reliance on a fixed command-and-control address and making conventional domain takedown operationally expensive for defenders. Brokewell operates over non-standard TCP ports 9003, 9004, and 9030, bypassing network inspection rules scoped to 80/443.

Why the Middle East is a distinct target

The regional threat profile diverges from the global picture in ways that matter for how financial institutions respond. 85.8% of financial phishing in the Middle East targets online shoppers, compared to 48.45% globally. Bank-themed phishing accounts for only around 7.6% of regional financial phishing, well below the global average. Netflix was the single most impersonated brand in the region.

Banking customers are not being reached through direct bank impersonation. They are being compromised on retail and entertainment platforms, and banking credentials are harvested after infection. Traditional fraud prevention models built around bank-branded phishing detection miss the majority of this exposure. The regional dominance of e-commerce phishing combined with the cultural acceptance of app sideloading creates compound exposure for customers interacting with retail, entertainment, and payment platforms on mobile devices.

What the full investigation contains

The full report includes detailed actor attribution and profiles for all families covered, infrastructure analysis linking malware families through shared hosting and code patterns, a complete MITRE ATT&CK for Mobile technique matrix across 13 mapped techniques, sector-specific defensive guidance for financial institutions operating in the region, and the complete set of 222 validated IOCs. A selection has already been incorporated into CybelAngel’s platform feeds. The full set is available on request.

This is an active campaign. Our team continues to monitor it.

Get in touch to access the full investigation

CybelAngel's Protection de votre marque et Surveillance du Dark Web capabilities detect fraudulent app listings, banking brand impersonation, and malicious infrastructure at the source, before customers are compromised.