Pour les utilisateurs

Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230


Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230



Added to the Dr.Web virus database: 2015-12-16

Virus description added:

0004194f6ef57fe77fd23734a897e74fda56ebb0 (obfuscated modification detected as Android.ZBot.2.origin)
dc7b430bc5bb002c8bc8312050d2063d4e9e935d (obfuscated modification detected as Android.ZBot.3.origin)

A banking Trojan for Android mobile devices intended to steal money from users’ bank accounts. Masquerading as a benign program, it can be downloaded once a user visits fraudulent or hacked websites, or another malicious application can download it to a device.

Once launched for the first time, Android.ZBot.1.origin tries to access administrator privileges and displays an error message urging the user to reboot the system. Then the Trojan removes its icon from the home screen.

#drweb #drweb

If the user refuses to grant the necessary privileges, Android.ZBot.1.origin attempts to steal the information on their bank card showing a bogus dialog simulating the input form of the legitimate Google Play application. The same dialog can be displayed in a period of time after the installation.


In order to be launched automatically after the compromised gadget is turned on, Android.ZBot.1.origin, using OnBootReceiver, monitors the following system events:

  • android.intent.action.BOOT_COMPLETED—signals that the system is booted
  • android.intent.action.QUICKBOOT_POWERON—signals that the device is rebooted in the Fast Boot mode and not in the usual mode.

Once the Trojan takes over control, it launches the UpdateService malicious service that tracks user's activity (android.intent.action.SCREEN_OFF, android.intent.action.SCREEN_ON), and, using AsyncTask, activates asynchronous tasks to connect to the server. In particular, it helps Android.ZBot.1.origin send the data on a compromised device to the command and control server and receive instructions in JSON (Java Script Object Notation). Besides, the server also gets the confidential information entered by the user as well as the information on the Trojan activity and its operation errors.

Upon a command from cybercriminals, Android.ZBot.1.origin can execute the following actions:

  • Send an SMS with a specific text to a specified number
  • Make a phone call
  • Send text messages to all user’s contacts
  • Intercept incoming SMS messages
  • Track the current GPS coordinates
  • Display a special dialog on top of a specified application

Once a compromised device is registered on the server, the Trojan receives the command to check the user’s bank account. If it detects availability of funds, it automatically transfers the specific sum of money to cybercriminals’ bank accounts. What is more, the malicious program intercepts and automatically processes all the incoming text messages with transactions verification codes from banks. As a result, the victim finds out about the theft not right after the crime is committed but some time later.

To display specially created dialogs, the server sends instructions to the Trojan that specify the applications on top of which a phishing message is to be shown. After that, Android.ZBot.1.origin identifies if these applications are on the device. If the Trojan finds a match, it periodically begins to check whether the corresponding application is running. Once such application is launched, the banking Trojan connects to the command and control server and downloads HTML code that, with the help of WebView, is displayed as a bogus dialog. Such fake dialogs often imitate authorization forms of online banking applications. If the victim of phishing tries to get rid of the shown message by tapping “Back”, Android.ZBot.1.origin will redirect the user to the home screen creating an illusion that this prompt really belongs to the corresponding legitimate application.

#drweb #drweb #drweb #drweb

#drweb #drweb #drweb #drweb

Some malicious features of Android.ZBot.1.origin (for example, sending text messages) are implemented in a separate Linux library named libandroid-v7-support.so that is stored inside of the Trojan’s program package and designed to protect the Trojan from anti-virus detection.

The base address of the Android.ZBot.1.origin server is stored in a special database named SQLite. However, it can be changed upon the cybercriminals’ command. By default, different Trojan’s modifications have their own addresses of command and control servers, so the compromised gadgets can create independent botnets.

Although such modifications of Android.ZBot.1.origin as Android.ZBot.2.origin and Android.ZBot.3.origin possess the same features as the original malicious program, their code is obfuscated (encrypted) in order to complicate the detection procedure.

News about this threat

Recommandations pour le traitement


  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Editeur russe des solutions antivirus Dr.Web
Expérience dans le développement depuis 1992
Les internautes dans plus de 200 pays utilisent Dr.Web
L'antivirus est fourni en tant que service depuis 2007
Support 24/24

Dr.Web © Doctor Web
2003 — 2022

Doctor Web est un éditeur russe de solutions de cybersécurité axées sur la détection de menaces et les technologies de prévention et de réponse aux cyberattaques.