VERY IMPORTANT

A newly discovered Android banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. It spreads through phishing sites masquerading as legitimate financial platforms and is installed via a dropper disguised as Google Play Services. TsarBot employs overlay attacks to steal credentials, records and remotely controls screens, and uses a fake lock screen to capture device lock credentials. It communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and execute on-device fraud. The malware's capabilities include screen recording, keylogging, and SMS interception. Evidence suggests the threat actor behind TsarBot is likely of Russian origin.