Sneaky malware is a newly discovered Android Trojan that stealthily steals sensitive data, such as banking credentials and cryptocurrency details, by disguising itself as legitimate apps.
First reported in November 2025, it targets users in Southeast Asia but could spread further.
How It Works
• Evasion Tactics: It checks if it’s on a real device or a security emulator to avoid detection during analysis.
• Permission Abuse: Requests Accessibility Services to control the device (e.g., reading screens, simulating taps, and auto-filling forms) and registers as a Device Administrator for elevated privileges.
• Data Theft: Overlays fake login screens on top of real banking or crypto apps to capture credentials. It also silences notifications and connects to a remote server to exfiltrate device info, location, and app lists, while receiving commands for updates or self-deletion.
• Stealth Features: Runs silently in the background without visible indicators.
How It Spreads
It masquerades as trusted apps like news readers or digital ID tools (e.g., “IdentitasKependudukanDigital.apk”), tricking users into sideloading the APK from unverified sources such as forums or messages.
Targets
Primarily banking and cryptocurrency users, focusing on financial apps for credential theft.
Detection and Prevention
• Detection: Antivirus tools like Malwarebytes identify it as Android/Trojan.Spy.Banker.AUR9b9b491bC44. Look for suspicious APKs with hashes like cb25b1664a856f0c3e71a318f3e35eef8b331e047acaf8c53320439c3c23ef7c.
• Prevention Tips:
• Only download apps from Google Play or official stores.
• Scrutinize permissions—reject unnecessary access to device controls, settings, or Accessibility Services.
• Use real-time antivirus software, keep your device and apps updated, and enable Google Play Protect.
• Avoid clicking links in unsolicited messages and stay informed via reliable cybersecurity sources.