David Morán Mar 15, 2021 2 min read

Toddler: Credential theft overlays and accessibility event logging

In January of 2021, a new family of previously undetected banking malware was discovered. The samples were found on the VirusTotal and Koodous malware analysis platforms.

Various antimalware engines were able to detect these applications as malware right from the get-go, mainly because they use the same strategies that other banking malware families often use to steal bank credentials, such as Cerberus and Anubis Bankbot. In this way, thanks to the platforms designed to detect these families, these analysis engines have been able to detect malicious functionalities and mark the applications as malicious.

As we'll see later on, this new banker isn't much different compared to all the other banking trojans that we can find in the world of Android devices. And it follows the usual credential theft strategies, which are based on the use of web injections that present the user with a WebView with a phishing page similar to the login interface of the affected entity.

The possible options for its spread that the attackers could have used will be discussed below. We will also delve into how this malware operates, including credential theft techniques as well as the theft of other information on the device.

Take a look at our report you can download from here.


David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.