Android.Banker
Android.Banker is an Android banking trojan family reported by Dr.Web as one of the most widespread mobile banking malware families, with activity increasing significantly through Q4 2025 and Q1 2026. Dr.Web stated that Android.Banker detections increased by 65.52% in Q4 2025 and by more than 2.5 times over the following three months, becoming the most widespread Android threat in Q1 2026. The Android.Banker.Mamont subfamily was identified as the most widespread variant during that period.
Its core capabilities include intercepting SMS messages containing one-time banking transaction confirmation codes, displaying phishing windows, and imitating legitimate banking applications in order to steal confidential data and gain illegal access to victims’ banking accounts. The malware targets Android devices and is associated in the reporting with mobile banking fraud rather than a specifically named threat actor.
Dr.Web also reported that threat actors increasingly used Android app modification and obfuscation tooling to help banking trojans evade detection, including junk-code insertion detected as Tool.Obfuscator.TrashCode and NP Manager modifications detected as Tool.NPMod. No specific infection vector unique to Android.Banker was provided in the content beyond its presence on Android devices and the broader use of modified/obfuscated apps. No malware-specific IOCs such as hashes, domains, package names, or C2 infrastructure were provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Stealth
3 techniques
Stealth
Topping the list of the most commonly detected potentially dangerous software were apps to which junk code has been added with the help of Android program modification tools... Currently, this technique is actively being used to protect banking trojans from anti-virus detection.
Members of the Android.HiddenAds family are often distributed as popular and harmless applications... The trojans were concealed in a number of tools for optimizing the operation of Android devices, and were distributed under the guise of messengers, multimedia, and other software.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android banking trojan family that intercepts SMS transaction confirmation codes, displays phishing windows, imitates banking apps, and steals confidential information.
Android banking trojan family targeting mobile devices; activity increased in Q1 2026, with the Mamont subfamily especially widespread.
Android banking trojan family/category referenced as increasing in activity during 2025.
Android banking trojan family/category label used by Dr.Web; activity increased in 2025.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.