Malware Toddler empties the bank accounts of Android phone users

New Android malware is spreading across Europe. A malware called Toddler was first spotted in January this year. The Trojan, discovered by researchers from the company Cleafy, although still in the development phase, was used in attacks on users of 60 European banks.

Last month, antivirus maker Bitdefender announced that Spain and Italy were hotbeds of infection, although banks in the UK, France, Belgium, Australia and the Netherlands were also targeted. In Spain, at least 7,632 mobile devices have been infected with this malware so far.

Researchers found data on the server used by cyber criminals to log in to the accounts of more than 1,000 bank users.

Infection vectors vary. Although the Trojan has not been found in the Google Play store so far, it has been noticed that a number of legitimate websites have been compromised and used to distribute Toddler malware.

Although Toddler is configured to target users of “dozens” of banks across Europe, 100% of infections detected so far are device infections of users of only 18 banks. Moreover, 90% of those infected are users of five banks, which indicates a successful phishing campaign that relies on SMS.

Toddler has all the features you would expect from this type of malware: the possibility of data theft, including bank account information, keylogging, screenshots, two-factor authentication (2FA) interception, SMS interception and connection to the attacker’s C2 server for transmission information, accepting commands, and connecting the infected device to the botnet.

The Trojan will use the so-called “Overlay” attacks to trick victims into submitting their login information to bank accounts by displaying fake login screens. After installation, the malware monitors which applications are opened, and when the target application is launched, the attack by covering the application with a fake window begins.

“Toddler is downloading a specially designed login page for an open target application from its server,” say PRODAFT researchers who knowledge of malware shared with ZDNet. “The downloaded page is then set via the target application. The user has no doubts because this happens almost as soon as the legitimate application is opened. “

The malware will also try to steal other data, such as those used to access cryptocurrency wallets.

The list of C2 commands includes activating the screen of the infected device, applying for permission, changing the volume, downloading codes from Google Authenticator using the Android accessibility service, and uninstalling applications.

Toddler has several mechanisms by which it survives on the device, the most important of which is to prevent the restart of the infected device by abusing accessibility features.

Toddler can also prevent the handset from being used in safe mode.

“Removing malware from the device requires great technical expertise, and it seems that this process will not be easier in the future,” the researchers warned.

Source: by

*The article has been translated based on the content of by If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!