BankBot RAT
BankBot is a powerful Android remote-access trojan that, once installed, can seize extensive control of a device. It leverages Android's Accessibility features to escalate privileges, automate user interface actions, harvest sensitive information, and carry out unauthorized operations that can lead to financial fraud, identity theft, and malware deployment. Any confirmed infection requires immediate remediation.
Table of Contents
Stealth and Device Profiling
BankBot actively avoids analysis and targets only chosen environments. It performs emulator and sandbox checks, inspects device attributes (make, model, ROM), and adjusts its behavior so it runs on selected real devices while remaining dormant or evasive in lab environments. The malware also collects and logs device telemetry — Android version and build, brand and model, manufacturer, hardware and build IDs, and product name — to profile targets and skip unsupported devices.
Gaining Control: Accessibility Abuse and Silent Persistence
A core tactic is the abuse of Accessibility services. BankBot can open the Accessibility Settings and socially engineer the user into enabling a malicious accessibility service; with that permission, it can automate clicks, enter text, enable other permissions, and perform actions without user consent. It can also obtain device-administrator rights. To survive reboots and maintain long-term access, the malware schedules a recurring task (roughly every 30 seconds) that requires network connectivity and persists across device restarts.
Capabilities — What BankBot Can Do
BankBot's feature set gives it near-complete control of an infected phone. Key capabilities include: muting system audio to suppress alerts (ringtones, notifications, media), displaying full-screen fake prompts (for example, 'Personal Information Verification') to distract victims while it activates permissions, and silently enabling services and administrator status. It can programmatically open or close apps, refresh screens, simulate touches and swipes, unlock the screen, control call forwarding, send SMS messages, install or uninstall APKs, download files, take photos and screenshots, hide windows, and set text into input fields. The malware can also read the Android clipboard and exfiltrate its contents — exposing passwords, seed phrases, and other secrets — and it captures contacts, SMS, installed app lists, device status, and geolocation.
Targeting Banking and Crypto — Which Apps Are at Risk
BankBot receives instructions from a command-and-control server that supplies a list of financial and banking apps to target for credential theft or fraudulent transactions. It also specifically targets many cryptocurrency wallets by automating wallet app UIs via Accessibility to read sensitive artifacts such as seed phrases, private keys, or transaction details. Examples of wallet targets observed include:
- AUTOS, Bitcoin, BitKeep, Blockchain wallet, Coin98 Super Wallet, Coinomi, Exodus, imToken, Krystal, MetaMask, MeWallet, SafePal, Status (Ethereum Crypto Wallet), TokenPocket, Trust Wallet, Valor.
Deception Techniques and App Masquerading
To reduce suspicion, BankBot can change its icon and name to impersonate legitimate services (for instance, presenting itself as Google News) and then open trusted-looking web content inside a WebView. These cosmetic changes, combined with fake reCAPTCHA-like prompts or full-screen verification dialogs, are used to trick users into granting permissions or interacting with the app while malicious actions run in the background.
How Users Typically Land on BankBot
In many cases, victims install BankBot themselves after being deceived. Common infection routes include:
- Sideloading APKs from attacker-controlled sites or third-party stores.
- Fake or malicious apps distributed through untrusted app repositories.
- Drive-by installs or downloads from deceptive ads and pop-ups on dubious sites.
- Links in SMS, messaging apps, or phishing emails.
Social engineering is central to distribution: criminals craft convincing lures to persuade users to download and run the malware.
Risks and Expected Impact
An infected device can suffer account takeovers, unauthorized financial transactions, stolen identities, and loss of privacy. The combination of Accessibility abuse, silent persistence, device profiling, and targeted attacks against banking and crypto apps makes BankBot particularly dangerous for users with financial apps or crypto wallets on their phones.
Immediate Containment and Recovery Steps
- Revoke suspicious permissions: remove accessibility and notification permissions for unknown apps and revoke device-administrator rights.
- Uninstall the malicious app(s) and run a full scan with a reputable mobile security product.
- Change passwords and enable multi-factor authentication for financial accounts and any services used on the device — do this from a clean device.
- Contact banks or wallet providers if you suspect fraudulent activity and monitor accounts for unauthorized transactions.
- If seed phrases or private keys were exposed, move funds to new wallet addresses whose keys were generated on a clean device.
Prevention
Keep the device OS and apps up to date, avoid sideloading APKs or installing apps from untrusted sources, disable automatic installation from unknown sources, be suspicious of prompts that ask you to enable Accessibility or device-admin features, and use a trusted mobile security product that can detect and remove trojans and adware. Educate users and employees about the social-engineering tactics that facilitate sideloading and permission-granting.
Summary — Treat BankBot as High Risk
BankBot is a stealthy, feature-rich Android RAT that combines accessibility abuse, environment checks, persistent scheduled tasks, UI automation, and targeted theft of banking and crypto assets. Because of its potential for serious financial and privacy harm, any suspected infection should be treated as urgent: remove the malware, secure accounts from a clean device, and take the preventive steps above to reduce future exposure.
