VMX Labs detected 5 active Command & Control (C2) server login panels in Poland, Italy, and Brazil that specialized in overlay attacks (manual and automatic) against Android users, especially in Brazil and Italy.

This (claimed) new Android banking trojan (ABT) is marketed as AzraelBot.

Figure 1: Advertisement in a hacking forum
Figure 2: Panel's Login Screen

One of the servers we found uses the leaked injects from the Hook ABT. This was foreseen and, unfortunately, lowered the entry barrier to the Android banking malware scene. 

Figure 3: List of supported injections by country

Manual overlay attacks mainly target Italy and Brazil. Generic injections used for Italy are as below:

Figure 4: Fingerprint injection and its machine translation
Figure 5: Loading injection and its machine translation

Manual overlay attacks on Brazilian banks are more sophisticated and customized.

Figure 6: Injects used for targeted manual overlay attacks

C2 IOC List

200.98.200.130 Panel IP address
200.98.200.107 Panel IP address
179.43.148.2 Panel IP address
185.241.208.123 Panel IP address
45.83.31.225 Panel IP address
azzzzzzzzzz000000bro.com C2 domain
googleoverdroid.com C2 domain

Note: Special thanks to the security researcher, whose earlier findings have greatly contributed to this ongoing research.

How screen overlay attacks endanger mobile banking apps