Bankbot has become a very popular Android botnet since it’s source code was leaked in an underground forum. Since it’s code was free for users to modify, different variations have been seen from its original one.
Typically, Bankbot hardcodes the applications it wants to target and the urls it will contact. This can be appreciated checking a regular .dex file. On the other hand, modified versions of Bankbot grab the targets from a remote server thus nothing can be found without Dynamic analysis.
But there’s also this one that has been spotted in the wild but not much has been heard, and it stores the information and some functionality in a .so file separated from the original .dex file.
It contains an ARM64 SO file named libnative-lib.so. What information can we get from here? Taking a quick glance at the file’s hex content we can see interesting strings from the start: