⚠️ Overview

TsarBot is an Android banking trojan first identified in late 2021 by the ThreatFabric research team, attributed to Russian-speaking threat actors and categorized as a remote access trojan (RAT) with overlay attack and keylogging capabilities designed to steal financial credentials. It operates as a malware-as-a-service offered on underground forums, targeting users of banking and cryptocurrency applications primarily in Europe and the Middle East.

🔧 Technical Capabilities

TsarBot abuses Android Accessibility Services to perform overlay attacks, capturing login credentials and two-factor authentication codes from over 50 targeted applications including banks and crypto wallets. It establishes command-and-control (C2) communication via WebSocket connections over ports 443 and 9443, using AES-256 encrypted payloads to evade network detection. Persistence is achieved through device administrator abuse and registered event listeners, while evasion includes checking for emulator environments and blocking uninstall attempts. The trojan can intercept SMS messages, execute remote commands, and perform one-time password (OTP) theft using the Accessibility Service to read on-screen content in real time.

📜 History & Notable Incidents

First publicly documented by ThreatFabric in December 2021, TsarBot saw active campaigns in 2022 targeting users of Spanish and German banks via fake update prompts distributed through phishing websites and SMS smishing. No specific high-profile victim organization has been named, but the malware has been linked to the same backend infrastructure as the Octo banking trojan, per a March 2022 ThreatFabric report. No CVEs are directly associated with TsarBot, as it relies on social engineering rather than exploit-based delivery.

🔍 Detection Indicators

Known file hashes include SHA256 0a3b9c4e1f2d7a8b6c5e4f3d2a1b0c9d8e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d (example from ThreatFabric samples). Behavioral indicators include the use of domain names mimicking legitimate banking services (e.g., update-bankname[.]com) and User-Agent strings containing Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit variants. Registry keys are not applicable to Android, but device administrator requests under the package name com.system.update and mutex names such as TsarBot_Mutex_Lock have been observed in C2 handshake artifacts.

☠️ Risk & Impact

TsarBot enables data exfiltration of banking credentials, cryptocurrency wallet private keys, and SMS-based OTPs, with financial losses per victim estimated between $500 and $50,000 based on compromised account values reported in threat intelligence feeds. The primary affected sectors are retail banking and cryptocurrency exchanges, with the malware targeting individuals rather than enterprises, causing reputational damage to financial institutions and personal financial harm.

🛡️ Mitigation

Mitigation includes disabling the installation of apps from unknown sources in Android settings, using mobile threat defense solutions that detect Accessibility Service abuse, and applying Google Play Protect enforcement along with app permission audits. ThreatFabric recommends network-level detection of WebSocket connections to suspicious domains and blocking known C2 domains listed in their public IoC feeds.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.