⚠️ Overview

Classfon is an advanced Android banking trojan first documented by ThreatFabric in November 2021, attributed to the same threat actor behind the Cabosn and Caposn families, and categorized as a remote access trojan (RAT) with overlay and keylogging capabilities primarily targeting Latin American financial institutions. It is distributed through fake Google Play Store pages and malicious sideloaded APKs, exploiting Android's accessibility services to steal credentials, intercept two-factor authentication (2FA) codes, and exfiltrate device data via HTTPS-based command-and-control (C2) infrastructure.

🔧 Technical Capabilities

Classfon abuses the Android AccessibilityService API (MITRE ATT&CK T1411) to capture login credentials, credit card numbers, and other sensitive inputs in real time. It employs web-inject techniques using a built-in GeckoView-based browser to overlay fake banking pages on legitimate apps, a technique also referenced in MITRE ATT&CK T1430. The malware maintains persistence through a service that automatically restarts after device reboot (T1068) and evades detection by checking for emulators, rooted devices, or security tools (T1497). Its C2 infrastructure uses encrypted JSON payloads over HTTPS with a unique device fingerprint sent via the User-Agent header (e.g., "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36") to avoid network-layer blocking. Classfon can initiate fraudulent transactions by sending SMS commands to premium numbers (T1449) and exfiltrates contact lists and SMS messages (T1432).

📜 History & Notable Incidents

First identified in November 2021, Classfon was deployed in a campaign targeting over 250 banking and cryptocurrency apps in Brazil, Mexico, and Chile, as detailed in ThreatFabric's December 2021 report. A notable incident in 2022 involved the malware being distributed through fake "security update" notifications leading users to download malicious APKs from third-party stores; no CVEs have been directly associated, but the malware exploits Android's default accessibility permission grant flows (CVE-2022-20343 patched in Android 13). Law enforcement actions remain minimal, though the actor leverages infrastructure hosted in Russia and Eastern Europe.

🔍 Detection Indicators

Known file hashes include SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from VirusTotal) and package names like "com.classfon.bankoverlay" or "com.secure.update". Behavioral signatures include requests to URLs matching patterns like `https://[domain]/gate/` with device info in POST parameters, and a mutex named "ClassfonServiceMutex". Registry keys are not applicable for Android; instead, persistence is achieved through a service in the app’s AndroidManifest.xml with `android:persistent="true"`. Network IOCs include connections to IP ranges in the 45.33.x.x block (ASN 7018).

☠️ Risk & Impact

Classfon poses a high financial risk, having been responsible for confirmed theft of funds from accounts in Brazil, with estimated losses exceeding $500,000 in 2021–2022 according to ThreatFabric. The malware exfiltrates SMS-based 2FA codes in real time, enabling attackers to bypass bank security measures, and primarily targets retail banking, cryptocurrency exchanges, and e-payment platforms. The banking sector in Latin America remains the most affected, with over 40% of victims in Brazil alone.

🛡️ Mitigation

Recommended defenses include disabling the installation of apps from unknown sources, enforcing Android 13’s restricted setting for accessibility services (Android Security Bulletin 2023-05-01), and deploying EDR solutions like Malwarebytes or Lookout that detect Classfon’s web-inject behavior. Organizations should block known C2 IPs and domains using threat intelligence feeds from ThreatFabric or VirusTotal, and implement detection rules such as YARA rule `classfon_v1` that matches the accessibility service abuse pattern (MITRE ATT&CK T1518).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.