David Morán Aug 9, 2021 11 min read

Toddler Expands its Range of Affected European Entities

Today we are going to talk about Toddler, also known as NotFlubot, Anatsa or Teabot, a banking trojan for Android that we have talked a lot about in this report, and that was discovered for the first time in January of this year.


As we saw back then, these first samples of the trojan, which targeted Spanish and German entities, were uploaded to thee VirusTotal and Koodous platforms, being detected right from the get-go as malicious by various antivirus firms, as well as by malware analysts.

This is due to the fact that the trojan shares the same strategies as other families such as Cerberus or Anubis Bankbot when it comes to stealing the credentials of users whose terminals are affected, not incorporating any major differences with respect to other banking trojans targeting users with Android devices.

As we will see in this article, in the last month new samples have been detected that affect banking entities located in European countries not previously listed, and we've also managed to detect that the authors behind these malicious applications have begun to use spread techniques similar to those of the FluBot banking trojan.


Given that the Toddler samples found were initially uploaded to VirusTotal and subsequently analyzed by researchers, we couldn't be certain about which distribution and spread methods this malware had followed, as there was no additional information.

However, we guessed that, seeing how we do know which propagation strategies are most commonly used by these types of threats, and since the trojan was very similar to other banking trojans for Android, it was very likely that the same techniques had been followed, such as distribution through a fraudulent website.

These assumptions have been validated in the findings recently discovered, as the Toddler banking trojan has been seen to be copying Flubot's propagation strategy to steal users' banking credentials.

This well-known technique begins with an SMS where the potential victim is informed about a supposed package that is going to be delivered. This message, which is sent from already infected phones, contains a link to a page in which a logistics company is impersonated and in which the user is asked to install an application in order to obtain information about the package in question.

Fraudulent website to download the app

Fraudulent website to download the app

After this, and given the protections that come with Android devices, the user is asked to enable the installation of apps from external sources, in order to achieve their goal and get the malicious app installed on the system.

Affected Entities

As we've already mentioned, in the recently detected samples there are some changes that have been found in the list of affected banking entities compared to those that we listed in the full report where we analyzed this new trojan in depth.

SHA256 sample: 9f8745ed8d371a478df567060488585c9655df22b1d69745a55f08e1531219a3

SHA256 sample: 9f8745ed8d371a478df567060488585c9655df22b1d69745a55f08e1531219a3

As on other occasions, we can access the list of applications affected by the keylogger module through one of the URLs of the control server that we find in the sample analyzed in the previous image: hxxp://185[.]215[.]113[.]31:82/api/getkeyloggers

List of affected entities

List of affected entities

When comparing the results presented with those in the initial report, we find that the list of entities that may be affected by this banking trojan has varied, where the most notable change is that the number of entities it targets has tripled.

On the other hand, as we already commented on at the beginning of this article, in addition to including several banking entities from countries such as Spain and Germany, we find others corresponding to countries such as Italy, Belgium and the Netherlands, which were not affected in the first samples of Toddler detected. The complete list can be found broken down in the corresponding annex.


In the past month, cybercriminals have started to launch campaigns targeting European users with Toddler, an Android banking trojan also known as Teabot, Anatsa or NotFlubot, which bears similarities to other malware families whose aim is to steal bank credentials from the users of these devices.

Specifically, according to the recently investigated samples, the actors behind this new trojan have started targeting banks located in Italy and Belgium, while also keeping those from other countries in Spain and Germany on the list of affected entities. In addition, forms of distribution identical to those carried out by the Flubot trojan have been detected, whose bait, as in other cases, is the sending of an SMS that informs the user about the delivery of a supposed package. We will continue to be on the lookout for any new updates that may occur in both.

Hash of the samples:

  • 9f8745ed8d371a478df567060488585c9655df22b1d69745a55f08e1531219a3
  • 435df4a0db36c737c2ab601fbd3b4b90f4b78999b582d75a6d9e403e130b18ef
  • aaf4ba3d9dc2605e440d6f1be02fcef77675f9ef46712a1a28bdbcf9afbac3ce



  • es.lacaixa.mobile.android.newwapicon
  • es.cm.androides.bancosantander.apps
  • com.bbva.bbvacontigo
  • net.inverline.bancosabadell.officelocator.android
  • com.kutxabank.android
  • es.ibercaja.ibercajaapp
  • es.liberbank.cajasturapp
  • es.openbank.mobile
  • app.wizink.es
  • com.grupocajamar.wefferent
  • piuk.blockchain.android
  • com.binance.dev
  • com.coinbase.android
  • vivid.money
  • de.commerzbanking.mobil
  • de.comdirect.android
  • com.mobileloft.alpha.droid
  • com.starfinanz.smob.android.sfinanzstatus
  • de.fiducia.smartphone.android.banking.vr
  • de.ingdiba.bankingapp
  • de.postbank.finanzassistent
  • de.santander.presentation
  • de.sdvrz.ihb.mobile.secureapp.sparda.produktionde.traktorpool
  • eu.unicreditgroup.hvbapptan
  • com.db.pbc.miabanca
  • com.db.pwcc.dbmobile
  • com.ing.mobile
  • nl.regiobank.regiobankieren
  • bvm.bvmapp
  • com.triodos.bankingnl
  • com.abnamro.nl.mobile.payments
  • nl.rabomobiel
  • nl.asnbank.asnbankieren
  • de.dkb.portalapp
  • be.belfius.directmobile.android
  • be.argenta.bankieren
  • com.db.pbc.mybankbelgium
  • com.beobank_prod.bad
  • be.axa.mobilebanking
  • be.bmid.itsme
  • com.ing.banking
  • com.bnpp.easybanking.fintro
  • com.bnpp.easybanking
  • com.kbc.mobile.android.phone.kbcbrussels
  • com.kbc.mobile.android.phone.kbc
  • be.keytradebank.phone
  • com.bpb.mobilebanking.smartphone.prd
  • exodusmovement.exodus
  • com.unicredit
  • com.latuabancaperandroid
  • it.bnl.apps.banking
  • it.copergmps.rt.pf.android.sp.bmps
  • posteitaliane.posteapp.appbpol
  • it.carige
  • posteitaliane.posteapp.apppostepay
  • co.mona.android
  • posteitaliane.posteapp.appposteid
  • com.fineco.it
  • de.number26.android
  • it.phoenixspa.inbank
  • it.icbpi.mobile
  • it.widiba.bol
  • it.iwbank.banking
  • it.gruppobper.ams.android.bper
  • com.cajaingenieros.android.bancamovil
  • com.indra.itecban.triodosbank.mobile.banki
  • com.mediolanum
  • es.evobanco.bancamovil
  • com.indra.itecban.mobile.novoba
  • es.cecabank.ealia2103appstore
  • com.imaginbank.app
  • es.caixabank.caixabanksign
  • es.caixagalicia.activamovil

David Morán

David has more than 15 years’ experience in cybersecurity, systems and development, starting out in an extinct hacking team known as Badchecksum. He collaborated on Defcon 19 with the Painsec security team. He is versed in scalable environments thanks to his work at the Tuenti social network with a traffic load of over 12Gbps. He has been involved with buguroo almost since the outset and has taken part in all the tools developed by the company, including source code analysers, malware analysis, cyber intelligence, etc. He also has in-depth knowledge of the Linux kernel, having developed LKMs that acted as rootkits as well as malware for Windows environments. He is currently the head of Revelock’s development team, managing task distribution and negotiating with the Head of Technology.