Banking Trojans on the Rise - Becoming More Sophisticated

Greg Edwards

With the Dyre Banking Trojan going silent or being completely shut down in early 2016, we shouldn’t be surprised that other banking Trojans have emerged. Android/Spy.Agent.SI and GozNym have been the first to capitalize on the open market since the demise of Dyre.  Unfortunately for consumers, the outlook doesn’t look pretty for their cybersecurity well-being.


Android Spy Agent was discovered in March by ESET. The Trojan targets up to 20 banking applications on Android devices and once it has gained access, can steal login credentials of mobile banking customers.

Android/Spy.Agent.SI spreads by imitating a Flash Player application with an icon that looks legitimate compared to the actual Flash Player. Once the malware has been installed, it searches for any of the targeted banking applications installed on the device. Should a corresponding banking application be available on the device, the malware loads a fake login screen when the application is launched. Once the application is launched, the screen will be locked until the username and password are submitted, leaving this information available for the criminals.

What makes this Trojan unique is that it can bypass Two-Factor Authentication (2FA). Once the criminals have the information from the Trojan, they can use it to start stealing money from the individual. However, with 2FA, some banks require that you enter a code that is texted to you to login to your account. Android/Spy.Agent.SI allows hackers to retrieve all text messages received on the device and remove them.



Two powerful Trojans, Nymaim and Gozi ISFB, have combined to create a hybrid Trojan called GozNym. As we previously reported, the Trojan managed to steal $4 million from 24 U.S. and Canadian banks in the first three days of April 2016.

“GozNym is an extremely stealthy Trojan combining the best of both Nymaim and Gozi ISFB to create a very problematic threat,” said Limor Kessem, a cybersecurity expert with IBM’s X-Force Research Division. “The attack numbers for GozNym have been extremely high given it’s only been around since April.”

GozNym is delivered through email messages with macros in a malware-infected attachment. Once the malware has infiltrated the system, attackers can then manipulate the victim’s browser, steal credentials and transfer money out of their accounts.

While both the Gozi and Nymaim Trojans have been around since 2007 and 2013 respectively, both of their source codes were leaked, which allowed for a third-party to combine the two and create the GozNym hybrid. The Trojan uses the two-stage malware dropper deployed with Nymiam where, once it infiltrates a system, it retrieves the Gozi component that is responsible for the Trojan’s ability to steal banking information.

Banking Trojan Outlook

With the emergence of Android/Spy.Agent.SI and GozNym within the last two months, we can only speculate that banking Trojans are going to get more prolific and sophisticated. The complexity level only increases with each new Trojan that is released. Dyre was the first one that went directly after consumers, and it had a huge level of complexity. Now, the Android and GozNym Trojan have brought a new level of sophistication to their malware, which will make it even more difficult for cybersecurity experts to fix or completely shut down.Online-Banking-Trojan.png

While it’s inevitable that there will be a patch or fix to these Trojans, it’s just as certain that new banking Trojans will emerge once these are obsolete. Unfortunately, that’s the world in which we live. It’s expected that the bounty stolen by cybercriminals will exceed $600 billion for 2016. The margin cybercriminals are seeing by simply sitting at their computer, and infiltrating systems is too high for them just to disappear.

Fortunately, WatchPoint has a solution to keep you protected and be first-responders to an attack. By utilizing WatchPoint tripwires and forensic collection through Carbon Black, we can detect and isolate advanced threats on your network. The forensic experts at WatchPoint work to stop any instrusion within the first hour of a cyberattack. This “Golden Hour” can make or break any forensic investigation, and it’s important to your cybersecurity and financial well-being to get it right the first time.

Contact us today to see how a partner like WatchPoint can secure and protect your network from the next generation of cybercriminals.

Contact Us

Share this:

Entrepreneur Link



Subscribe to Email Updates

Recent Posts

Posts by Topic

see all