Remo is a banking trojan first disclosed over a year ago by researchers at Cyble Research and Intelligence Labs. It directly targets mobile banking and cryptocurrency wallet apps to steal money from its victims.
VMX Labs recently detected a new Remo variant and responsibly reported the findings to the Alibaba Cloud, where the distribution websites and command and control (C2) infrastructure reside. Together, we managed to disrupt the Remo fraud operation.
In this article, we aim to present the current state of the Remo Android banking trojan compared to the first samples discovered over a year ago.
Distribution
Phishing websites are still being used to distribute the Remo malware samples so VMX Labs can track its distribution operations. These websites sometimes present the content in a language that makes it easy for us to predict the geographical focus of the malware campaign.
However, the phishing websites were in English this time, making the target region unclear. The distribution domains “e-ussecurity.cc” and “usaonlinesecurity.cc” hint at the United States as the targeted region. However, the target list loaded from the C2 server quickly eliminated this possibility.
Targeted apps strongly suggest Southeast Asian countries and India are the focus of this campaign. We also found Vietnamese in the distribution website’s HTML source, which overlaps with the main user language of some targeted apps.
Target List
The list of targeted apps shows that the current Remo ABT campaign is active in India and Southeast Asia, particularly Malaysia, Indonesia, and Vietnam. It was previously active in Thailand, Indonesia, and Vietnam.
Targeted Apps 2023 |
Targeted Apps 2024 |
|---|---|
| com.vnpay.bidv | com.mservice.momotransfer |
| vn.com.techcombank.bb.app | com.vnpay.SCB |
| com.VCB | com.vib.myvib2 |
| com.vietinbank.ipay | com.ocb.omniextra |
| com.vnpay.Agribank3g | ops.namabank.com.vn |
| mobile.acb.com.vn | com.sacombank.ewallet |
| com.vnpay.vpbankonline | vn.shb.mbanking |
| com.tpb.mb.gprsandroid | vn.com.techcombank.bb.app |
| src.com.sacombank | com.tpb.mb.gprsandroid |
| com.mbmobile | com.VCB |
| com.vnpay.hdbank | com.vietinbank.ipay |
| vn.com.msb.smartBanking | com.vnpay.vpbankonline |
| com.ocb.omniextra | xyz.be.cake |
| com.mservice.momotransfer | vn.com.vng.zalopay |
| com.bca | mobile.acb.com.vn |
| id.bmri.livin | com.vnpay.Agribank3g |
| src.com.bni | com.vnpay.bidv |
| com.jago.digitalBanking | com.mbmobile |
| com.bsm.activity2 | com.android.chrome |
| com.ocbcnisp.onemobileapp | src.com.sacombank |
| id.co.bri.brilinkmobile | ops.namabank.com.vn |
| id.com.uiux.mobile | com.UCMobile.intl |
| com.bca.mybca.omni.android | com.maybank2u.life |
| com.dbs.id.pt.digitalbank | my.com.hongleongconnect.mobileconnect |
| com.alloapp.yump | com.engage.pbb.pbengage2my.release |
| com.dbank.mobile | my.com.cimb.ngb |
| net.myinfosys.PermataMobileX | com.rhbgroup.rhbmobilebanking |
| id.co.bankbkemobile.digitalbank | com.ambank.ambankonline |
| com.bplus.vtpay | com.bsn.mybsn |
| vn.com.vng.zalopay | com.affin.AffinMobileBanking |
| wifi.gps.input | com.iexceed.CBS |
| th.or.gsb.coachaom | com.alliance.AOPMobileApp |
| ktbcs.netbank | com.uob.my.infinity |
| com.bbl.mobilebanking | com.sbi.lotusintouch |
| com.kasikorn.retail.mbanking.wap | com.sbi.SBIFreedomPlus |
| com.scb.phone | com.csam.icici.bank.imobile |
| com.krungsri.kma | com.snapwork.hdfc |
| com.TMBTOUCH.PRODUCTION | com.axis.mobile |
| com.kbzbank.kpaycustomer | com.bankofbaroda.mconnect |
| com.uob.mighty.app | com.msf.kbank.mobile |
| com.ktb.customer.qr | com.bca |
| im.token.app | com.dbank.mobile |
| vn.shb.mbanking | com.panin.mobilepanin |
| com.bitpie | id.co.cimbniaga.mobile.android |
| io.metamask | id.co.bri.brilinkmobile |
| com.binance.dev | id.bmri.livin |
| pro.huobi | id.co.bankbkemobile.digitalbank |
| com.bybit.app | src.com.bni |
| com.okinc.okex.gp | com.dimasdev.btnppid_v2 |
| vip.mytokenpocket | com.bnc.finance |
| app.vitien.vitien | com.bsm.activity2 |
| id.co.bri.brimo | |
| co.id.bankjatim.prioritashaihaiproduction | |
| com.dbs.sg.dbsmbanking | |
| id.com.uiux.mobile | |
| net.myinfosys.PermataMobileX | |
| com.btpn.dc | |
| com.muamalatdin | |
| com.defi.wallet | |
| com.wallet.crypto.trustapp | |
| org.toshi | |
| net.bitstamp.app |
Table 1: Lists of targeted apps (package names) in 2023 vs 2024
The comparison reflects the dynamic nature of the mobile threat landscape:
- 24% increase in the total number of targeted apps.
- Only 55% of the targeted apps in 2023 remain in the Remo target list in 2024.
- Expansion into India, Malaysia, and possibly Singapore while receding from Thailand.
The steep increase in Bitcoin prices attracted cybercriminals behind the Remo ABT
We also detected increased adversary interest in cryptocurrency wallet apps during this investigation. Remo’s C2 server added the following four apps to its target list when the Bitcoin price crossed the $100k milestone.
Before the update, the target list was not particularly populated with cryptocurrency wallet apps. The rapid increase in Bitcoin price seems to have attracted the cybercriminals.
Mobile App |
Package Name |
|---|---|
| Crypto.com Onchain | com.defi.wallet |
| Trust: Crypto & Bitcoin Wallet | com.wallet.crypto.trustapp |
| Coinbase Wallet: NFTs & Crypto | org.toshi |
| Bitstamp: Buy and Sell Crypto | net.bitstamp.app |
Table 2: Cryptocurrency wallet apps added to the target list
Technical Analysis
The Remo classes implementing the malicious functionalities are mostly renamed and look different from the first samples detected over a year ago. However, the threat actor missed a few indicators that led us to detect the new variant momentarily by a simple static analysis.
Like many other banking trojans, Remo abuses Android’s accessibility service to achieve the adversary’s objectives. One of the critical improvements observed in the recent samples is the impersonation of a legitimate app, AnyDesk plugin ad1, that has 10M+ downloads in the Google Play Store and leverages the accessibility service. This is undoubtedly an attempt to evade detection algorithms relying solely on the accessibility service names.
A significant change in the latest Remo variant is the removal of the malicious SMS module to send SMS messages from the infected device. The permission acquired for this operation typically triggers a deeper investigation to search for malicious behavior.
Another interesting difference is that the new variant reports not only targeted apps but also some system apps installed on the victim’s device to the C2 server. The exfiltrated information per app remains unchanged, i.e., package, name, and version. The reported system apps in our test setup are listed below.
Package |
Name |
|---|---|
| com.google.android.youtube | YouTube |
| com.google.android.googlequicksearchbox | |
| com.google.android.apps.messaging | Messages |
| com.google.android.apps.safetyhub | Personal Safety |
| com.android.vending | Google Play Store |
| com.android.stk | SIM Toolkit |
| com.google.android.deskclock | Clock |
| com.google.android.gm | Gmail |
| com.google.android.dialer | Phone |
| com.google.audio.hearing.visualization.accessibility.scribe | Live Transcribe & Sound Notifications |
| com.google.android.apps.nbu.files | Files by Google |
| com.google.android.accessibility.soundamplifier | Sound Amplifier |
| com.google.android.apps.docs | Drive |
| com.google.android.apps.maps | Maps |
| com.google.android.apps.tips | Pixel Tips |
| com.google.android.contacts | Contacts |
| com.google.android.calculator | Calculator |
| com.google.android.videos | Google TV |
| com.google.android.apps.photos | Photos |
| com.google.android.calendar | Calendar |
| com.google.android.accessibility.switchaccess | Switch Access |
| com.android.settings | Settings |
| com.google.android.apps.healthdata | Health Connect |
| com.google.android.apps.wearables.maestro.companion | Pixel Buds |
| com.android.angle | Android System Angle |
| com.google.android.apps.recorder | Recorder |
| com.google.android.apps.work.clouddpc | Device Policy |
| com.google.android.apps.youtube.music | YouTube Music |
| com.android.traceur | System Tracing |
| com.google.android.GoogleCamera | Camera |
Table 3: System apps reported to C2
Yet another improvement is that the malicious app does not automatically prompt a request to enable accessibility permission anymore. Instead, it loads a login page from a remote source and implements an authentication mechanism, which is an anti-analysis feature. We think that criminals provide the credentials to their victims.
Remo can still steal clipboard data when victims launch the app, and it does not need additional permissions to access the clipboard. Due to the long cryptocurrency wallet addresses and recovery phrases, cryptocurrency wallet app users frequently use the clipboard, and banking trojans targeting these applications pay special attention to this data.
Users of Android 12 and higher are alerted by a system toast message. They should not ignore this red flag.
The periodic reporting message sent to the C2 server consists of new data fields that inform us about the recently developed features of the trojan:
- Latitude & Longitude: Remo started to track the device’s location.
- isDeviceAdminEnable: Remo started abusing the powerful device administration API, a known technique used frequently by banking trojans.
- floatingWins: Information about floating windows.
- appStatusData: The status field in Chinese indicates a Chinese-speaking threat actor is behind Remo. The value is “Connected\n” in Figure 7 below.
- isHighPowerMode: Likely added because power saving mode restricts background activity.
- screenPushMode: The Janus WebRTC media server VideoRoom plugin is used for real-time screen sharing. It implies there are other supported ways.
- deviceNumber: Six-character random identifier.
- isIgnoringBatteryOptimizations: Battery optimizations can prevent the malware from running continuously in the background. Apps need to request the user explicitly to grant permission. Remo started to report whether permission was granted or not.
It is also important to mention that the new Remo ABT variant has been updated to target Android 14 devices, while previous samples supported up to Android 13.
Conclusion
The Remo ABT has considerably evolved in over a year. We found that there are a few underlying factors behind this evolution.
- Defense evasion. Fraud campaigns and, as a result, the increased number of victims over time attract defenders’ interest. When this interest is combined with comprehensive threat intelligence, malware starts to be precisely detected and remediated, which in turn forces the threat actors to develop new ways to evade detection.
- New or improved techniques. Threat actors also gain hands-on experience and knowledge with time. They try to implement new features to level up their game and solve problems encountered in the field.
- Android OS updates. Continuous updates of the OS and increased adoption of these updates eventually lead threat actors to adapt the malware for better target coverage.
- Trends. The sudden increase in Bitcoin price drew everyone’s attention, including adversaries.
Like Remo, the mobile threat landscape is very dynamic and responds to enhanced protections rapidly in the form of new variants of a known malware family. The continuous monitoring of mobile devices and apps is vital to keeping up with cybercriminals.
Indicator of Compromise (IOC) List
Indicator |
Type |
Description |
|---|---|---|
| usaonlinesecurity.cc | domain | Distribution website |
| e-ussecurity.cc | domain | Distribution website |
| usw4s.top | domain | C2 |
| nhlkasjdvncea.top | domain | C2 |
| 83bf604ed920231a1af209b5d10fa752fe07359303f35d40c039b73b268f8fe5 | SHA256 | Mobile Security.apk |
| 49d24a77a8b6846ba81907e0f773c232f284e39f10161ffee917e6e0664a7d0a | SHA256 | Mobile Security.apk |
| f75e26936a8f3b55065cdad25ee3e37bdf94054bc5e242dc72ebb073e4f73c3d | SHA256 | gjf-p3.apk (old Remo sample) |
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts