Cerberus is Dead, Long Live Cerberus?

Executive Summary

This blog provides an overview of the situation surrounding the release of the source code, and supplementary ‘injection’ files, for the Android banking trojan ‘Cerberus’. In addition to the source code for two versions of the malicious application along with the control panel being freely available on various underground forums, over two hundred injection files, those being HTML pages that mimic the look of legitimate Android apps, have been distributed and could allow the theft of credentials and/or payment card data.

Given that the current threat from Cerberus was countered by Google Play Protect, Google’s own Android antimalware solution, other threat actors may act on comments from Cerberus’ creators to restore the threat, or simply use the source code to create, or further develop, their own Android threats.

Recent reports indicate that Cerberus is now targeting Android users in Russia as well as countries within the Commonwealth of Independent States (CIS), suggesting that some ‘less-patriotic’ threat groups have modified the source code and removed these previously defined ‘safe countries’. Other than this activity, no other regions have been specifically identified at increased risk.

As time elapses and threat actors gain a better understanding of the released code, others may seek to utilize it, or the injection pages, in their own threats or campaigns. This is especially true given the availability of a Cerberus ‘installation service’, costing just USD 300, that could allow a lower-sophistication threat actor to gain access to a working Cerberus control panel with Android application package (APK) builder for a fraction of its former cost.

Introduction

Believed to have been in development for some time and used privately for around two years prior to being first observed by cybersecurity researchers in June 2019, Cerberus is an Android banking trojan that was available via a malware-as-as-service (Maas) offering as advertised on underground forums (Figure 1).

Figure 1 – Cerberus advertisement banners (Bottom: Updated for Cerberus V2)

As is common for threats of this nature, Cerberus supports various capabilities out-of-the-box, such as the ability to interact with, and steal data from, a compromised device including contacts, SMS interception and call forwarding, as well as selling addons in the form of ‘injections’ that allow credentials and/or payment card data to be stolen from specific legitimate applications.

Reportedly earning the creators at least USD 10,000 a month during its peak, not withstanding any ill-gotten gains made from stolen data, the MaaS model used to rent access to Cerberus’ infrastructure was, when not discounted (Figure 2), available in three packages (USD 4,000 for 3 months, USD 7,000 for 6 months and USD 12,000 for one year of access) in addition to injections reportedly selling for USD 4,000 each.

Figure 2 – Cerberus ‘Winter Sale’

Having purchased a licence, nefarious users would gain access to the Cerberus control panel which allowed them to build an Android application package (Figure 3), in the form of an ‘APK’ file ready for distribution to victims, as well as providing them with the ability to manage their compromised devices and access any stolen data (Figure 4).

Figure 3 – Cerberus APK builder (added to the platform in July 2019)

Figure 4 – Cerberus Control Panel

Having configured and generated an APK payload file, threat actors would then need to deliver this to victims likely through the use of social engineering tactics and campaigns such as ‘fake media player’ messages shown to Android users visiting a compromised or malicious website (Figure 5) as well as fake mobile apps uploaded to various app stores and even the use of COVID-19 themes during the global pandemic.

Figure 5 – Cerberus distributed via fake Adobe Flash Player (Credit: ESET Research)

Reportedly one of the most successful Android banking trojans and MaaS threats of 2019 and into 2020, Cerberus’ reign came to a somewhat abrupt end in August 2020 with the creator citing ‘internal issues’ that prevented ongoing development and undoubtedly contributed to the threat being detected and blocked by Google’s built-in antimalware protection ‘Google Play Protect’.

Attempted Sale

Whilst still in development as late as 21 July 2020, seemingly the period between 22 and 26 July 2020 saw Cerberus being detected by Google Play Protect and customers taking to the forum to complain about their ‘bots dropping off’.

In response to these complaints, ‘Android’, Cerberus’ creator or the group’s spokesperson, suggested on 28 July 2020 that the threat was still operational, albeit requiring the use of a ‘cryptor’ to prevent detection (Figure 6).

Figure 6 – ‘Android’ responding in English, rather than Russian, to various complaints about Cerberus on 28 July 2020

Tools known as ‘cryptors’ are often used by malware authors and utilize various encryption routines to thwart the analysis of malicious binaries as well as obfuscating or modifying their code to evade detection signatures. In this instance, it appears that the solution to Cerberus’ problems was not as simple as using a ‘cryptor’ and was promptly followed by the group ceasing development following ‘internal issues’.

In addition to the threat group reportedly disbanding, with existing Ceberus infections being in-operational due to their detection, the malware-as-a-service (MaaS) offering, including all source code, installation guides, and setup scripts along with details of current and prospective customers, was reportedly offered for auction at the end of July 2020 with a starting price of USD 50,000 and a ‘buy-it-now’ price of USD 100,000.

Appearing somewhat steeply priced, it is likely that a suitably motivated and skilled threat actor could have recouped their outlay within a year, especially given the reported USD 10,000 monthly earnings, although, given that the auction failed to find a buyer, the ‘market’ didn’t agree with this valuation or the viability of Cerberus following its detection by Google Play Protect.

Source Code Release

Following the failed auction attempt, and potentially in an attempt to restore confidence in the group, ‘Android’ posted a message to the ‘XSS[.]is’ forum on 5 August 2020 to confirm that they would be fulfilling any financial commitments to existing customers, presumably by refunding them any access payments, and that the source code would be made available to the forum’s members (Figure 7).

Figure 7 – Forum post indicating the release of the Cerberus Source Code to members of XSS[.]is

Translation:

v2 version. Flipper.
Since our team (before that the team) ran this business cleanly, as beautifully as possible, we will finish it beautifully.
For 70% of clients, financial obligations have already been closed. The remaining ones are asked to unsubscribe in a PM or Telegram, do not forget to write your Jabber, the license key and the server IP. This is so that I can be sure that you are the owner of the license. It is also advisable to attach the APK file.
Sources to be torn apart, especially for xss[.]is
Cerberus v1 + Cerberus v2 + install scripts + admin panel + sql db


Seemingly available on various underground forums from around 7 August 2020, a subsequent post by ‘Android’ on the XSS[.]is forum on 10 August 2020 included a cleaned-up archive (Figure 8).

Figure 8 – Cerberus source code release on XSS[.]is

Translation:

Guys, and wrap-up.

Cerberus v1 + Cerberus v2 + install scripts + admin panel + sql db

Archive cleared of garbage.

Everything for those who want to start their own business. Full pack.
In the header, I replaced the link to it.

For moderators, please re-upload to other [file sharing services] so that the file will live for a long time.

Analysis of the source code archive indicates that the directories have modification dates of 5 August 2020, confirming the archive creation of the file that aligns with the forum posts, whilst the files, excluding any open-source libraries used, have various modification dates between 31 March 2019 and July 21 2020, again consistent with what is known about Cerberus’ recent development.

Note: For reference, sample file hashes for the released Cerberus source code are provided in Appendix A.

Included within the main archive are four main directories:

• moduleBot2 – Java source code and assets for the Cerberus v2 Android payload including build files for use with the ‘Gradle’ build automation tool. Based on application icons found within the directory structure, the threat appears to mimic a ‘Santander’ banking app but it is understood that this would be customizable when using the ‘builder’ control panel.
• panel_v2 – HTML, JavaScript and PHP source code for the server that provides the Cerberus control panel, APK payload builder and the command and control (C2) call-home ‘gate.php’ script. Notably, the payload builder takes parameters from the threat actor and then executes the Gradle build automation tool before allowing the payload to be downloaded. Additionally, ‘cryptor’ code appears within this directory that could allow payloads to thwart analysis or detection albeit, based on the Google Play Protect detection, this has been countered.
• restapi_v2 – Seemingly allowing interactions between bots and the C2 server/control panel, the REST API directory includes PHP code and provides an insight into the status of a bot including the relatively short period of time elapsed for it to be considered ‘dead’ (albeit understandable given that most people will keep their mobile phone online at all times):
  • 0 – Online (Bot has been visible within the last 2 minutes);
  • 1 – Offline (Bot has been visible within the 40hrs but not last 2 minutes);
  • 2 – Dead (Bot has not been seen within the last 40hrs);
• source_mmm – Java source code and assets for the Cerberus v1 Android payload, again including build files for use with the ‘Gradle’ build automation tool.
  Furthermore, a SQL dump file is included within the archive and provides an insight into the backend database behind the Cerberus control panel. In addition to this database backup detailing the data stored on bots and compromised hosts, base64-encoded ‘injects’ are included to mimic and steal credentials or payment card data by posing as the following Android applications:
  • Connect for Hotmail & Outlook (com.connectivityapps.hotmail)
  • Gmail (com.google.android.gm)
  • Imo (com.imo.android.imoim)
  • Instagram (com.instagram.android)
  • mail.com Mail (com.mail.mobile.android.mail)
  • Microsoft Outlook (com.microsoft.office.outlook)
  • Snapchat (com.snapchat.android)
  • Telegram (org.telegram.messenger)
  • Twitter (com.twitter.android)
  • Uber (com.ubercab)
  • Viber Messenger (com.viber.voip)
  • WeChat (com.tencent.mm)
  • WhatsApp Messenger (com.whatsapp)
  • Yahoo Mail (com.yahoo.mobile.client.android.mail)

Current Capabilities

Whilst the immediate threat from Cerberus has been countered by Google Play Protect, the release of the source code provides other threat actors with the ability to analyse and understand how Cerberus’ modular capabilities were implemented, potentially allowing others to extend them or reuse the code in other Android threats.

As is to be expected of a successful Android threat, Cerberus claims to work on devices using Android 5 or later and, have gained ‘accessibility’ permissions, can automatically permit additional permissions for itself including:

• android.permission.INTERNET;
• android.permission.CALL_PHONE;
• android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS;
• android.permission.RECEIVE_BOOT_COMPLETED;
• android.permission.READ_PHONE_STATE;
• android.permission.REQUEST_DELETE_PACKAGES;
• android.permission.RECEIVE_SMS;
• android.permission.READ_SMS;
• android.permission.SEND_SMS;
• android.permission.READ_CONTACTS;
• android.permission.WAKE_LOCK;

Given these permissions, many capabilities can be identified, such as those that are consistent with a remote access trojan gaining access to, and control over, the device:

• Screenshot and audio recording;
• Keylogging from within applications;
• Access and exfiltrate contacts;
• Device location tracking;
• Application download, execution and removal;
• Device lock;
• Mute all device sound and disable vibrate alerts;

Additionally, specific banking trojan capabilities provide the means to gather credentials and payment card data as well as thwarting additional security measures such as one-time passwords, multi-factor authentication and voice calls:

• Access, send, receive and delete SMS (ideal for capturing one-time passwords);
• Call forwarding (potentially allowing the interception of voice calls);
• Credential and payment card data theft through application injections;
• Local installation and automatic (timed) enable of injections to allow operation with limited network coverage;
• Theft of multi-factor authentication codes from Google Authenticator;

In an attempt to evade security controls and thwart analysis, Cerberus implemented anti-emulator code to ensure that it was only executed on a valid physical device, attempted to disable Google Play Protect, albeit until its detection, and provided a self-destruct mechanism to remove traces of the bot to prevent post-incident analysis.

Finally, command and control (C2) traffic is RC4 encrypted and base64-encoded using a random key. Subsequently, ‘call home’ communications include useful data about the device which is viewable within the control panel:

• Android operating system version;
• Battery status;
• Device manufacturer/model;
• IP address;
• Network operator;
• Telephone number;
• System locale (Country and language);
• Screen status (Locked or Unlocked);
• Google Play Protect status;
• SMS intercept status;
• Availability of bank, card and email credentials/data;
• Infection date and bot up-time;
• Telephone activity, used to determine if it is an emulator;

Features: hide SMS, lock device, mute sound, keylogger, injection

Injections

Cerberus makes use of ‘injections’ to target legitimate applications, including those related to banking, email, messaging, retail and social media, with pages that mimic the targeted application interface and prompt for credentials and/or payment card details from the victim (Figure 9).

Figure 9 – Example ‘injects’ mimicking legitimate application interfaces

These HTML-based injects are provided as a single file asset, allowing them to be easily stored within the command and control (C2) database and distributed to victim devices, integrating cascading style sheets (CSS) to ensure the layout is consistent with the targeted application as well as embedding base64-encoded images (Figure 10).

Figure 10 – Example embedded base64-encoded PNG image within the inject HTML file

Once deployed, a victim would be presented with the inject when attempting to access a targeted application and, assuming they fall for the ruse, the data entered is inserted into a JSON data structure ready for exfiltration by Cerberus to the C2 infrastructure.

Seemingly a ‘starter kit’ was offered by Cerberus with a handful of injections to target Italy, France, Turkey and the United States, whilst additional injections could be purchased (Figure 11).

Figure 11 – Cerberus ‘Tweet’ indicating the sale of injects

Notably, in addition to base64-encoded injects embedded within the SQL dump file distributed with the Cerberus control panel source code, archives of this recent release distributed on underground forums include over 200 additional inject files potentially including some that would have previously been charged for.

Note: For reference, a full list of the injects distributed with the Cerberus source code are provided in Appendix B.

Given that these inject files mimic many current mobile applications, the release of this large set could allow other malware authors to incorporate them into their own mobile threats as well as being of use to any threat actor that can make use of, or further develop, the Cerberus source code.

Potential Future Developments

Increased Targeting

As is common with cybercrime threats originating from Russia or countries within the Commonwealth of Independent States (CIS), threat actors will only target victims in other countries as confirmed by a string variable within Cerberus’ source code containing a safe list of country codes:

public String strCIS = "[ua][ru][by][tj][uz][tm][az][am][kz][kg][md]";

Since the public release of Cerberus’ source code, other seemingly less-patriotic threat actors have removed or modified this restriction and there is now reportedly an increase in victims within Russia and CIS countries.

Aside than this shift in targeting, no other region has been identified as suffering from increased attacks although, with time, other threat actors may seek to leverage their access to the source code and potentially launch attacks in regions where Android devices are prevalent whilst less likely to be protected by current versions of Google Play Protect.

Variants

In addition to threat actors taking the Cerberus source code ‘as-is’ and attempting to launch their own campaigns, especially given that an ‘enterprising’ user on the XSS[.]is forum is offering an installation service for just USD 300 (Figure 12), others may seek to build upon the existing code or create their own variants to resolve the issues that caused Google Play Protect to detect the threat.

Figure 12 – XSS[.]is forum member offering proof of their Cerberus install service

One such example that has been reported as a variant of Cerberus is a threat dubbed ‘Alien’ although, both the creators of Alien and Cerberus have denied any link between the two.

Providing any would-be successor with the necessary information to resolve Cerberus’ issues, two suggestions are given to counter Google Play Protect’s ability to scan application resources (Figure 13).

Figure 13 – Denial of link to ‘Alien’ and Cerberus ‘solution’ proposals

Translation:
Alien is based entirely on Anubis.
Our bot died due to one problem, the play-protection started scanning the resources of the APK file.
Initially, Cerberus was developed as a modular bot, loading malicious code into resources, and at that time Play Protect was unable to scan application resources.
At the moment, our module has signatures, and bots “die” when it is loaded. The solution is to remove the module from the code and encrypt the entire APK, but then the size of the APK will be very large.
Solution number two: encrypt the module.
Why didn’t we do it?
We had one module for all clients, and since the team was crumbling, it was not possible to find new programmers who would make their own module for each client individually.
As a result, our clients could not encrypt the module for themselves. We encrypted the module 5 times, and each crypt fell the next day according to the signatures, and in the end our hands dropped, since this is not a solution to the problem.

Whilst it is likely only a matter of time before a suitably skilled nefarious developer resolves the issues with Cerberus, the release of the source code will undoubtedly assist the Google Play Protect team in creating countermeasures. That being said, organizations should still encourage users to, and individuals should, be cautious whenever prompted to install Android packages (APK) from unverified sources, be that a browser pop-up, an email or from a third-party app marketplace.

Appendix A – Samples

The following SHA-256 file hashes relate to the leaked files, as observed on multiple underground forums, and may prove beneficial to security professionals wishing to perform their own analysis of the threat:

• Initial source code release cerberus_full_package.7z
  • 2ba17fabce13866b6f161250f00d85e14fefc6334dc1bdd881bb71ba41a69d80
• ‘Cleaned-up’ source code release CERBERUS_V2.zip
  • 733fc478acd6ef668f88131f505921fddc88e9a207e5ee304b37babf0b8a553d
• Injections collection injects.zip
  • 856ea6fd89f431274335614e91fdd83a99aaa3243395a28d7e55307a04090923
• Bundle containing the above, released on ‘Alphazine[.]ru’ cerberus.zip
  • beabdc7eedea45771c11e2319f810035fdbf67e725b593a80ef54438ee3731f5

Given the current status of Cerberus, indicators of compromise (IOC) related to past Cerberus threats are somewhat redundant although the command and control (C2) Tor hidden service still appears to be accessible via cerberesfgqzqou7.onion (Figure 14).

Figure 14 – Cerberus control panel Tor hidden service

Additionally, the following HTTP command and control (C2) communication strings were observed within the source code and may appear in derivative works:

• action=getinj&data=;
• action=injcheck&data=;
• action=botcheck&data=;
• ||no||;
• action=registration&data=;
• action=sendInjectLogs&data=;
• action=sendSmsLogs&data=;
• action=timeInject&data=;public String str_http_19 = “action=sendKeylogger&data=”; public String str_http_20 = “action=getModule&data=”; public String str_http_21 = “action=checkAP&data=”;
• action=sendKeylogger&data=;
• action=getModule&data=;
• action=checkAP&data=;

Appendix B – Injections

Injection files have been provided alongside the Cerberus source code and target the following legitimate Android applications:

• ABANCA Empresas com.abanca.bancaempresas
• ABANCA Banca Móvil es.caixagalicia.activamovil
• ABN AMRO Mobiel Bankieren com.abnamro.nl.mobile.payments
• Akbank com.akbank.android.apps.akbank_direkt
• Allegro pl.allegro
• Amazon Shopping com.amazon.mShop.android.shopping
• ASB Mobile Banking nz.co.asb.asbmobile
• Banca Digital Liberbank es.liberbank.cajasturapp
• Banca Móvil Laboral Kutxa com.tecnocom.cajalaboral
• Banca MPS copergmps.rt.pf.android.sp.bmps
• Banca Transilvania ro.btrl.mobile
• Banco Caixa Geral España es.caixageral.caixageralapp
• Banco Itaú Empresas com.itau.empresas
• Banco Sabadell net.inverline.bancosabadell.officelocator.android
• Bank Austria MobileBanking com.bankaustria.android.olb
• Bank Hapoalim (בנק הפועלים) com.ideomobile.hapoalim
• Bank Millennium wit.android.bcpBankingApp.millenniumPL
• Bank Millennium for Companies pl.millennium.corpApp
• Bank of America Mobile Banking com.infonow.bofa
• Bank of Melbourne Mobile Banking org.bom.bank
• Bankia es.cm.android
• Bankinter Móvil com.bankinter.launcher
• BankSA Mobile Banking org.banksa.bank
• Banque com.caisseepargne.android.mobilebanking
• Banque Populaire fr.banquepopulaire.cyberplus
• Banque pour tablettes Android com.caisse.epargne.android.tablette
• Barclays com.barclays.android.barclaysmobilebanking
• Barclays Kenya com.barclays.ke.mobile.android.ui
• BBVA Net Cash com.bbva.netcash
• BBVA Spain com.bbva.bbvacontigo
• BEA (東東亞亞銀銀行行) com.mtel.androidbea
• Bendigo Bank com.bendigobank.mobile
• BHIM UPI, Money Transfer, Recharge & Bill Payment com.mobikwik_new
• Bi en Línea gt.com.bi.bienlinea
• Bill Payment & Recharge,Wallet com.oxigen.oxigenwallet
• Binance com.binance.dev
• bitbank cc.bitbank.bitbank
• Bitcoin Wallet Coincheck jp.coincheck.android
• Blockchain Wallet piuk.blockchain.android
• BMO Mobile Banking com.bmo.mobile
• BNL it.bnl.apps.banking
• BNP Paribas GOMobile com.finanteq.finance.bgz
• BOCHK com.bochk.com
• BOQ Mobile com.bankofqueensland.boq
• Boursorama Banque com.boursorama.android.clients
• BPI APP pt.bancobpi.mobile.fiabilizacao
• BPS Mobilnie pl.bps.bankowoscmobilna
• BusinessPro Lite pl.bph
• CA24 Mobile com.finanteq.finance.ca
• CaixaBank es.lacaixa.mobile.android.newwapicon
• Caixadirecta cgd.pt.caixadirectaparticulares
• Cajalnet es.ceca.cajalnet
• Cajasur com.cajasur.android
• Capital One® Mobile com.konylabs.capitalone
• Carige Mobile it.carige
• Carrefour Finance be.fimaser.smartphone
• Ceneo pl.ceneo
• CEPTETEB com.teb
• Chase Mobile com.chase.sig.android
• CIBC Mobile Banking com.cibc.android.mobi
• CIC com.cic_prod.bad
• Citi Handlowy com.konylabs.cbplpat
• CMSO my bank com.arkea.android.application.cmso2
• Coinbase Wallet — Crypto Wallet & DApp Browser org.toshi
• comdirect mobile App de.comdirect.android
• CommBank com.commbank.netbank
• Commerzbank Banking de.commerzbanking.mobil
• Connect for Hotmail & Outlook com.connectivityapps.hotmail
• Consorsbank de.consorsbank
• Credem com.CredemMobile
• Crédit du Nord pour Mobile com.ocito.cdn.activity.creditdunord
• Crédit Mutuel com.cm_prod.bad
• Crédit Mutuel de Bretagne com.arkea.android.application.cmb
• ČSOB Smartbanking cz.csob.smartbanking
• CUA Mobile Banking au.com.cua.mb
• DB Pay com.db.pbc.DBPay
• Deutsche Bank Mobile com.db.pwcc.dbmobile
• Discount Bank com.ideomobile.discount
• Discover Mobile com.discoverfinancial.mobile
• DKB-Banking de.dkb.portalapp
• Empik com.empik.empikapp
• Empik Foto com.empik.empikfoto
• Enpara.com Cep Şubesi finansbank.enpara
• eurobank mobile 2.0 pl.eurobank2
• EVO Banco móvil es.evobanco.bancamovil
• Fifth Third Mobile Banking com.clairmail.fth
• Fortuneo, mes comptes banque & bourse en ligne com.fortuneo.android
• Garanti BBVA Mobile com.garanti.cepsubesi
• Getin Mobile com.getingroup.mobilebanking
• Gmail com.google.android.gm
• GMO Wallet com.gmowallet.mobilewallet
• Grupo Cajamar com.grupocajamar.wefferent
• Halifax Mobile Banking com.grppl.android.shell.halifax
• Halkbank Mobil com.tmobtech.halkbank
• HSBC Mobile Banking com.htsu.hsbcpersonalbanking
• HVB Mobile Banking eu.unicreditgroup.hvbapptan
• Ibercaja es.ibercaja.ibercajaapp
• iBiznes24 mobile pl.bzwbk.ibiznes24
• iBOSStoken hr.asseco.android.mtoken.bos
• IDBI Bank GO Mobile+ com.snapwork.IDBI
• Idea Bank PL pl.ideabank.mobilebanking
• IKO pl.pkobp.iko
• Imagin com.imaginbank.app
• imo free video calls and chat com.imo.android.imoim
• iMobile by ICICI Bank com.csam.icici.bank.imobile
• ING Banking to go de.ingdiba.bankingapp
• ING Business com.comarch.security.mobilebanking
• ING España www.ingdirect.nativeframe
• ING Italia it.ingdirect.app
• Instagram com.instagram.android
• Intesa Sanpaolo Mobile com.latuabancaperandroid_2
• Intesa Sanpaolo Mobile com.latuabancaperandroid
• iPKO biznes pl.pkobp.ipkobiznes
• İşCep com.pozitron.iscep
• Kraken Pro com.kraken.trade
• Kutxabank com.kutxabank.android
• Kuveyt Türk com.kuveytturk.mobil
• L’Appli Société Générale mobi.societegenerale.mobile.lappli
• La Mia Banca com.db.pbc.miabanca
• La Poste fr.laposte.lapostemobile
• Leumi (לאומי) com.leumi.leumiwallet
• Liquid by Quoine com.quoine.quoinex.light
• Lloyds Bank Mobile Banking com.grppl.android.shell.CMBlloydsTSB73
• Ma Banque fr.creditagricole.androidapp
• mail.com mail com.mail.mobile.android.mail
• mBank PL pl.mbank
• Mes Comptes fr.lcl.android.customerarea
• Mes Comptes BNP Paribas net.bnpparibas.mescomptes
• Mi Banco db com.db.pbc.mibanco
• Mi Banco Mobile com.popular.android.mibanco
• Microsoft Outlook com.microsoft.office.outlook
• Mizrahi Bank (מזרחי טפחות) com.MizrahiTefahot.nh
• Mobile Banking UniCredit com.unicredit
• Mobile BiznesPl@net com.comarch.mobile.banking.bgzbnpparibas.biznes
• Mobilni Banka eu.inmite.prj.kb.mobilbank
• Mobilny Portfel pl.raiffeisen.nfc
• Mój Orange pl.orange.mojeorange
• Moje ING mobile pl.ing.mojeing
• myAT&T com.att.myWireless
• N26 Mobile Banking de.number26.android
• NAB Mobile Banking au.com.nab.mobile
• NBapp Spain com.indra.itecban.mobile.novobanco
• Nest Bank nowy pl.nestbank.nestbank
• NETELLER com.moneybookers.skrillpayments.neteller
• norisbank App com.db.mm.norisbank
• Oney France fr.oney.mobile.mescomptes
• Openbank es.openbank.mobile
• Papara com.mobillium.papara
• PayPal Mobile Cash com.paypal.android.p2pmobile
• Pekao24Makler eu.eleader.mobilebanking.pekao
• PekaoBiznes24 eu.eleader.mobilebanking.pekao.firm
• PeoPay softax.pekao.powerpay
• People’s Choice Credit Union com.fusion.ATMLocator
• Pibank es.pibank.customers
• plusbank24 eu.eleader.mobilebanking.invest
• Pocket Bank ma.gbp.pocketbank
• Postbank Finanzassistent de.postbank.finanzassistent
• Postepay posteitaliane.posteapp.apppostepay
• QNB Finansbank Mobile Banking com.finansbank.mobile.cepsube
• Raiffeisen ELBA com.isis_papyrus.raiffeisen_pay_eyewdg
• Raiffeisen Smart Mobile com.advantage.RaiffeisenBank
• Rakuten Bank (楽楽天天銀銀行行) jp.co.rakuten_bank.rakutenbank
• RBC Mobile com.rbc.mobile.android
• Report com.cajasiete.android.cajasietereport
• Rossmann PL pl.com.rossmann.centauros
• ruralvía com.rsi
• Santander es.bancosantander.apps
• Santander Banking de.santander.presentation
• Santander Empresas es.bancosantander.empresas
• Santander mobile pl.bzwbk.bzwbk24
• ScotiaMóvil net.garagecoders.e_llavescotiainfo
• SCRIGNOapp it.popso.SCRIGNOapp
• SecureApp netbank de.adesso_mobile.secureapp.netbank
• ŞEKER MOBİL ŞUBE tr.com.sekerbilisim.mbank
• Skrill com.moneybookers.skrillpayments
• Smart Mobile Banking it.gruppobper.ams.android.bper
• Snapchat com.snapchat.android
• Sparkasse Ihre mobile Filiale com.starfinanz.smob.android.sfinanzstatus
• St.George Mobile Banking org.stgeorge.bank
• Sumishin SBI Net Bank (住住信信SBIネネッットト銀銀行行) jp.co.netbk
• Suncorp Bank au.com.suncorp.SuncorpBank
• SunTrust Mobile App com.suntrust.mobilebanking
• TARGOBANK Mobile Banking com.targo_prod.bad
• Telegram org.telegram.messenger
• The International Bank (הבנק הבינלאומי ) com.fibi.nativeapp
• Touch 24 Banking BCR at.spardat.bcrmobile
• Triodos Bank com.indra.itecban.triodosbank.mobile.banking
• Twitter com.twitter.android
• U.S. Bank com.usbank.mobilebanking
• Uber com.ubercab
• UBI Banca it.nogood.container
• UnicajaMovil es.univia.unicajamovil
• Union Bank (בנק אגוד) com.unionBank.app
• Union Bank Mobile Banking com.unionbank.ecommerce.mobile.android
• USAA Mobile com.usaa.mobile.android.usaa
• Usługi Bankowe alior.bankingapp.android
• VakıfBank Mobil Bankacılık com.vakifbank.mobile
• Viber Messenger com.viber.voip
• Volksbank house banking at.volksbank.volksbankmobile
• VR Banking Classic de.fiducia.smartphone.android.banking.vr
• WeChat com.tencent.mm
• Wells Fargo Mobile com.wf.wellsfargomobile
• Western Union ES com.westernunion.moneytransferr3app.es
• WhatsApp Messenger com.whatsapp
• Yahav Bank (בנק יהב) il.co.yahav.mobbanking
• Yahoo Mail com.yahoo.mobile.client.android.mail
• Yapı Kredi Mobile com.ykb.android
• Yono Lite SBI com.sbi.SBIFreedomPlus
• YouApp com.lynxspa.bancopopolare
• Ziraat Mobile com.ziraat.ziraatmobil