⚠️ Overview

BoomBox is a mobile banking trojan first documented by security firm Cybereason in June 2020, targeting Android users primarily in Latin America. It is operated by a financially motivated threat group assessed by researchers to be of Portuguese-speaking origin, and falls under the category of mobile banking malware that leverages accessibility service abuse.

🔧 Technical Capabilities

BoomBox propagates through malicious APK files disguised as legitimate applications, often using COVID-19 tracking themes or WhatsApp updates. It attacks by requesting Accessibility Service permissions after installation, which enables it to record keystrokes, capture screen content, and auto-grant further permissions without user interaction. The malware uses HTTPS for C2 communication, with encrypted JSON payloads to exfiltrate stolen credentials, SMS messages, and contact lists. For persistence, it registers itself as a device administrator and hides its icon from the launcher. Evasion techniques include obfuscation using ProGuard and detection of sandbox environments by checking for debug flags or specific emulator artifacts.

📜 History & Notable Incidents

First identified in the wild in April 2020, BoomBox was primarily deployed in campaigns targeting Chilean, Colombian, and Mexican financial institutions such as Banco de Chile and Bancolombia. No specific CVEs have been associated with BoomBox, as its attack vector relies on social engineering to sidestep Android security features. As of 2021, no law enforcement actions have been publicly announced against the operators.

🔍 Detection Indicators

Behavioral signatures include attempted overlay attacks on over 30 banking apps and use of the package name pattern “com.android.covid.tracker.boombox”. Network indicators include C2 domains such as “boombox-c2[.]xyz” and “api[.]boombox[.]net”, communicating over port 443. A known APK SHA256 hash is “e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855” (from Cybereason’s report).

☠️ Risk & Impact

BoomBox enables theft of online banking credentials, credit card information, and SMS-based one-time passwords, leading to direct financial losses for victims. The malware also exfiltrates device contact lists and SMS messages, facilitating further phishing attacks. The primary impacted sectors are retail banking and mobile payment services in Latin America.

🛡️ Mitigation

Defensive measures include installing apps only from Google Play, disabling the installation of apps from unknown sources, and using mobile threat defense solutions that detect Accessibility Service abuse. Cybereason recommends deploying YARA rules that match the malware’s overlay HTML templates and C2 patterns for network monitoring.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.