{"id":49940,"date":"2016-05-26T11:41:15","date_gmt":"2016-05-26T18:41:15","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=49940"},"modified":"2025-05-27T20:42:45","modified_gmt":"2025-05-28T03:42:45","slug":"android-banking-trojan-spylocker-targets-more-banks-in-europe","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/","title":{"rendered":"Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe"},"content":{"rendered":"

Since the discovery of the Android banking Trojan SpyLocker<\/a>, McAfee has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and Turkey. Recently we have found that the distribution method for this malware has changed. In addition to employing malicious websites that pretend to deliver a new version of Flash Player, cybercriminals are now are using hacked sites (including WordPress and Joomla) to distribute the malware posing as a \u201cporn player\u201d:<\/p>\n

\"SpyLocker_InfectedWebsite_PornDroid\"
\nAs soon as the user accesses the website, the following file is downloaded:<\/p>\n

\"SpyLocker_PornVideoDownloaded\"
\nThe \u201cPornDroid\u201d theme of the injected site and the filename \u201cpornvideo.apk\u201d looked familiar to us; that distribution method is very similar to the one used by the Android ransomware Police Locker<\/a>\u00a0at the end of 2014. Could this mean that Police Locker and SpyLocker are related? We decided to take a look at old samples from both malware families and, after some research, we found what seems to be the missing link between the two.<\/p>\n

The purpose of the samples is different (ransomware vs. banking Trojan) but there are some similarities that suggest the creators of the ransomware at some point shifted its focus to target banking users. For example, in both samples we can find the same intent-filter and the same class names for two receivers:
\n\"SpyLocker_GC_Service\"In addition to these receivers, there are more classes in common between the two samples, including Autorun, AdminService, and DeviceAdminChecker:<\/p>\n

\"Spylocker_CommonClasses\"In addition to the hacked websites distribution method, SpyLocker uses adult sites to lure users and trigger the automatic download of the malware:
\n\"Spylocker_Avitoi\"
\nEven when the filename of the downloaded file is pornvideo.apk, when the app is installed it appears to be Flash Player (as with the original variants):
\n\"Spylocker_FlashPlayerIcon\"
\nOr, recently, an \u201cupdate\u201d:<\/p>\n

\"UpdateIcon\"<\/p>\n

As soon as the app is executed, the icon disappears from the home launcher and the malware constantly asks for device administrator privileges to make its removal difficult:<\/p>\n

\"Spylocker_DevAdmin\"<\/p>\n

If the user tries to deactivate the device administrator for the app, the malware locks the device, with the following screen preventing the user from clicking the deactivate button behind the cover:<\/p>\n

\"SpyLocker_AdminLock\"<\/p>\n

SpyLocker originally targeted banks in Australia, New Zealand, and Turkey; now it monitors the opening of banking and financial apps in additional European countries to display the phishing overlay and capture banking credentials. The following is an example of the overlay targeting banks in Poland:<\/p>\n

\"SpyLocker_PolishBanks\"
\nUsers in France are\u00a0also targeted by recent variants of SpyLocker:<\/p>\n

\"SpyLocker_FrenchBanks\"<\/p>\n

A different and more complete phishing overlay was found in variants targeting banks in the United Kingdom:<\/p>\n

\"SpyLocker_UK_Scotland\"<\/p>\n

Instead of showing the phishing overlays from a remote server, recent SpyLocker variants have them implemented in the app itself, perhaps to avoid locking the victim\u2019s device if the remote server is not available. Because of this we found\u00a0that there are plans to target banks in Italy, although the overlay interface is not implemented in the variants that we have seen so far. On the other hand, the overlay interface for Russian banks is already implemented but currently not being used because the package names are not in the list of targeted banks. But they could be included in a new variant at any time.<\/p>\n

SpyLocker also monitors the execution of Google and popular apps such as Instagram and eBay to display the Google phishing overlay, which now attempts to get more than just the email and password of the Google account:<\/p>\n

\"SpyLocker_GooglePhishing_ValitationOfFields\"
\nThe fields in the overlay user interface are now validated. If the victim does not provide the information or if it is incorrect (with credit cards an algorithm confirms that the number is valid), the overlay cannot be skipped\u2014thus hijacking the device until the victim enters the correct information. In the case of the credit card field, SpyLocker validates the type of card and, following that, will display an additional field to capture the second factor of authentication needed for\u00a0electronic transactions:<\/p>\n

\"SpyLocker_2FA_phishing\"
\nIn addition to the phishing functionality, SpyLocker constantly sends encrypted data to a remote server:<\/p>\n

\"SpyLocker_first_communication\"
\nThe decrypted data is in the\u00a0JavaScript Object Notation format, and reports the current status of the infected device:<\/p>\n

\"SpyLocker_Report\"
\nThe data\u00a0includes device information, the default SMS app, if the malware has device administrator active, if it is currently locked, if any of the targeted banking apps are installed in the device, if intercepting incoming SMS messages is enabled (smsgrab), and if the device is rooted. Using the same format, SpyLocker can\u00a0leak to a remote server the SMS messages in the inbox (inboxmessage), SMS being sent (sentmessage), the call history (callhistory), and installed apps (instapps):<\/p>\n

\"SpyLocker_InstAppsDecrypted\"Android banking Trojans such as SpyLocker are constantly evolving, adding new targets and distribution methods, and improving their phishing techniques to obtain even more data that will allow cybercriminals to perform fraudulent electronic transactions. To protect yourselves from this threat, employ security software on your mobile, and remember that Android updates are not delivered via APK files automatically downloaded when you visit a website. Further, users should not trust applications downloaded from unknown sources.<\/p>\n

McAfee Mobile Security detects this Android threat as Android\/SpyLocker and alerts mobile users if it is present, while protecting them from any data loss. For more information about McAfee Mobile Security, visit http:\/\/www.mcafeemobilesecurity.com<\/a>.<\/p>\n

Package names of targeted financial apps<\/strong><\/h2>\n

Turkey<\/strong><\/p>\n

    \n
  • com.akbank.softotp<\/li>\n
  • com.akbank.android.apps.akbank_direkt_tablet<\/li>\n
  • com.akbank.android.apps.akbank_direkt<\/li>\n
  • com.teb<\/li>\n
  • com.ziraat.ziraatmobil<\/li>\n
  • com.tmobtech.halkbank<\/li>\n
  • com.pozitron.iscep<\/li>\n
  • com.garanti.cepsubesi<\/li>\n
  • com.ykb.android<\/li>\n
  • finansbank.enpara<\/li>\n
  • com.finansbank.mobile.cepsube<\/li>\n<\/ul>\n

    Poland<\/strong><\/p>\n

      \n
    • eu.eleader.mobilebanking.pekao<\/li>\n
    • eu.eleader.mobilebanking.pekao.firm<\/li>\n
    • hr.asseco.android.mtoken.pekao<\/li>\n
    • eu.eleader.mobilebanking.raiffeisen<\/li>\n
    • pl.pkobp.iko<\/li>\n
    • pl.mbank<\/li>\n
    • pl.ing.ingmobile<\/li>\n
    • com.comarch.mobile<\/li>\n
    • com.getingroup.mobilebanking<\/li>\n
    • pl.bzwbk.bzwbk24<\/li>\n
    • wit.android.bcpBankingApp.millenniumPL<\/li>\n<\/ul>\n

      Australia<\/strong><\/p>\n

        \n
      • au.com.nab.mobile<\/li>\n
      • com.commbank.netbank<\/li>\n
      • com.cba.android.netbank<\/li>\n
      • org.stgeorge.bank<\/li>\n
      • org.banking.tablet.stgeorge<\/li>\n
      • au.com.bankwest.mobile<\/li>\n
      • com.bendigobank.mobile<\/li>\n
      • org.westpac.bank<\/li>\n
      • au.com.mebank.banking<\/li>\n
      • com.anz.android.gomoney<\/li>\n<\/ul>\n

        New Zealand<\/strong><\/p>\n

          \n
        • nz.co.anz.android.mobilebanking<\/li>\n
        • nz.co.asb.asbmobile<\/li>\n
        • nz.co.bnz.droidbanking<\/li>\n
        • nz.co.kiwibank.mobile<\/li>\n
        • nz.co.westpac<\/li>\n<\/ul>\n

          France<\/strong><\/p>\n

            \n
          • net.bnpparibas.mescomptes<\/li>\n
          • fr.lcl.android.customerarea<\/li>\n
          • fr.laposte.lapostemobile<\/li>\n
          • fr.creditagricole.androidapp<\/li>\n
          • fr.banquepopulaire.cyberplus<\/li>\n
          • com.cm_prod.bad<\/li>\n
          • com.caisseepargne.android.mobilebanking<\/li>\n<\/ul>\n

            Russia<\/strong><\/p>\n

              \n
            • ru.sberbankmobile<\/li>\n
            • ru.vtb24.mobilebanking.android<\/li>\n
            • ru.alfabank.mobile.android<\/li>\n
            • com.idamob.tinkoff.android<\/li>\n
            • ru.bpc.mobilebank.android<\/li>\n
            • ru.bankuralsib.mb.android<\/li>\n<\/ul>\n

              United Kingdom<\/strong><\/p>\n

                \n
              • com.barclays.android.barclaysmobilebanking<\/li>\n
              • uk.co.santander.santanderUK<\/li>\n
              • com.rbs.mobile.android.natwest<\/li>\n<\/ul>\n

                Targeted apps<\/strong><\/p>\n

                  \n
                • com.android.vending<\/li>\n
                • com.google.android.music<\/li>\n
                • com.google.android.apps.plus<\/li>\n
                • com.android.chrome<\/li>\n
                • com.google.android.apps.maps<\/li>\n
                • com.google.android.youtube<\/li>\n
                • com.google.android.apps.photos<\/li>\n
                • com.google.android.apps.books<\/li>\n
                • com.google.android.apps.docs<\/li>\n
                • com.google.android.apps.docs.editors.docs<\/li>\n
                • com.google.android.videos<\/li>\n
                • com.google.android.gm<\/li>\n
                • com.whatsapp<\/li>\n
                • com.skype.raider<\/li>\n
                • com.google.android.play.games<\/li>\n
                • com.paypal.android.p2pmobile<\/li>\n
                • com.ebay.mobile<\/li>\n
                • com.instagram.android<\/li>\n
                • com.instagram.layout<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

                  Since the discovery of the Android banking Trojan SpyLocker, McAfee has closely monitored this threat. SpyLocker first appeared disguised as…<\/p>\n","protected":false},"author":462,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[37,76,180,214],"coauthors":[1104],"class_list":["post-49940","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-android","tag-cybercrime","tag-malware","tag-mobile-security1"],"acf":[],"yoast_head":"\nAndroid Banking Trojan 'SpyLocker' Targets More Banks in Europe | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Since the discovery of the Android banking Trojan SpyLocker, McAfee has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Android Banking Trojan 'SpyLocker' Targets More Banks in Europe | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Since the discovery of the Android banking Trojan SpyLocker, McAfee has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-05-26T18:41:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T03:42:45+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid.png\" \/>\n\t<meta property=\"og:image:width\" content=\"561\" \/>\n\t<meta property=\"og:image:height\" content=\"734\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Carlos Castillo\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@carlosacastillo\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Carlos Castillo\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/\"},\"author\":{\"name\":\"Carlos Castillo\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe\"},\"headline\":\"Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe\",\"datePublished\":\"2016-05-26T18:41:15+00:00\",\"dateModified\":\"2025-05-28T03:42:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/\"},\"wordCount\":1176,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid-229x300.png\",\"keywords\":[\"android\",\"cybercrime\",\"malware\",\"mobile security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/\",\"name\":\"Android Banking Trojan 'SpyLocker' Targets More Banks in Europe | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid-229x300.png\",\"datePublished\":\"2016-05-26T18:41:15+00:00\",\"dateModified\":\"2025-05-28T03:42:45+00:00\",\"description\":\"Since the discovery of the Android banking Trojan SpyLocker, McAfee has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid-229x300.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid-229x300.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe\",\"name\":\"Carlos Castillo\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/729f5b9d2761341175762c5f10652607\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg\",\"caption\":\"Carlos Castillo\"},\"description\":\"Carlos Castillo specializes in the analysis of mobile threats and Android malware. Castillo performs static and dynamic analysis of suspicious applications to support McAfee\u2019s Mobile Security for Android product. He is the author of the McAfee-published white paper, \\\"Android Malware Past, Present, and Future,\u201d and wrote the \u201cHacking Android\\\" section of the book, \\\"Hacking Exposed 7: Network Security Secrets & Solutions.\u201d As a recognized mobile malware researcher, Castillo has presented at several security industry events, including 8.8 Computer Security Conference and Segurinfo, a leading information security conference in South America. Prior to his position at McAfee, Castillo performed security compliance audits for the Superintendencia Financiera of Colombia, and worked at security startup Easy Solutions Inc., where he conducted penetration tests on web applications, helped shut down phishing and malicious websites, supported security and network appliances, performed functional software testing, and assisted in research and development related to anti-electronic fraud. Castillo joined the world of malware research when he won ESET Latin America\u2019s Best Antivirus Research contest with a paper titled, \u201cSexy View: The Beginning of Mobile Botnets.\u201d Castillo holds a degree in systems engineering from the Universidad Javeriana in Bogot\u00e1, Colombia.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/carlosacastillo\/\",\"https:\/\/x.com\/carlosacastillo\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/carlos-castillo\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Android Banking Trojan 'SpyLocker' Targets More Banks in Europe | McAfee Blog","description":"Since the discovery of the Android banking Trojan SpyLocker, McAfee has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Android Banking Trojan 'SpyLocker' Targets More Banks in Europe | McAfee Blog","og_description":"Since the discovery of the Android banking Trojan SpyLocker, McAfee has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-05-26T18:41:15+00:00","article_modified_time":"2025-05-28T03:42:45+00:00","og_image":[{"width":561,"height":734,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid.png","type":"image\/png"}],"author":"Carlos Castillo","twitter_card":"summary_large_image","twitter_creator":"@carlosacastillo","twitter_site":"@McAfee","twitter_misc":{"Written by":"Carlos Castillo","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/"},"author":{"name":"Carlos Castillo","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe"},"headline":"Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe","datePublished":"2016-05-26T18:41:15+00:00","dateModified":"2025-05-28T03:42:45+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/"},"wordCount":1176,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid-229x300.png","keywords":["android","cybercrime","malware","mobile security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/","name":"Android Banking Trojan 'SpyLocker' Targets More Banks in Europe | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid-229x300.png","datePublished":"2016-05-26T18:41:15+00:00","dateModified":"2025-05-28T03:42:45+00:00","description":"Since the discovery of the Android banking Trojan SpyLocker, McAfee has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid-229x300.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/SpyLocker_InfectedWebsite_PornDroid-229x300.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-banking-trojan-spylocker-targets-more-banks-in-europe\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/894ee4a790607d505a13c24955d2edbe","name":"Carlos Castillo","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/729f5b9d2761341175762c5f10652607","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Carlos-Castillo-96x96.jpg","caption":"Carlos Castillo"},"description":"Carlos Castillo specializes in the analysis of mobile threats and Android malware. Castillo performs static and dynamic analysis of suspicious applications to support McAfee\u2019s Mobile Security for Android product. He is the author of the McAfee-published white paper, \"Android Malware Past, Present, and Future,\u201d and wrote the \u201cHacking Android\" section of the book, \"Hacking Exposed 7: Network Security Secrets & Solutions.\u201d As a recognized mobile malware researcher, Castillo has presented at several security industry events, including 8.8 Computer Security Conference and Segurinfo, a leading information security conference in South America. Prior to his position at McAfee, Castillo performed security compliance audits for the Superintendencia Financiera of Colombia, and worked at security startup Easy Solutions Inc., where he conducted penetration tests on web applications, helped shut down phishing and malicious websites, supported security and network appliances, performed functional software testing, and assisted in research and development related to anti-electronic fraud. Castillo joined the world of malware research when he won ESET Latin America\u2019s Best Antivirus Research contest with a paper titled, \u201cSexy View: The Beginning of Mobile Botnets.\u201d Castillo holds a degree in systems engineering from the Universidad Javeriana in Bogot\u00e1, Colombia.","sameAs":["https:\/\/www.linkedin.com\/in\/carlosacastillo\/","https:\/\/x.com\/carlosacastillo"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/carlos-castillo\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/462"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=49940"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49940\/revisions"}],"predecessor-version":[{"id":214517,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49940\/revisions\/214517"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=49940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=49940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=49940"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=49940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}