LEGALAUDIT
Cyber Coach

Mobile

Fake banking apps, APK trojans and rogue MDM profiles

The SMS says 'update the app to continue'. The link installs an APK off-store, or a .mobileconfig profile on iPhone.

10 min readExpert

Red flags to recognize

  • SMS or WhatsApp asking to install an app off the official store
  • Android: APK requesting SMS, accessibility, overlay or accessibility-service permissions
  • Bank-app icons with similar names but unknown developer
  • iOS: request to install an MDM or .mobileconfig 'corporate' profile
  • Browser redirecting to 'cdn.<bank>-app.apk.zip'
  • Permissions much broader than necessary (SMS, contacts, microphone for a bank?)
  • App asking you to disable Play Protect or Lookout

What to do now

  • Install banking apps only from the official store, verifying the developer
  • Disable 'unknown sources' on Android (Developer -> insecure sources)
  • Never install MDM profiles on iPhone requested by strangers
  • If the APK was installed: airplane mode, backup, factory reset, selective restore
  • Change all passwords and revoke active sessions from a clean device
  • Audit active accessibility services: banking trojans often hide there
  • On iOS check Settings -> General -> VPN and Device Management

Real case

Anatsa trojan via post-office SMS, Italy 2025

A nationwide campaign sends SMS 'Post office: your app is out of date, download now' with a link to post-update.tk. The link installs Anatsa, an Android banking trojan that masquerades as a PDF reader during initial install.

Once installed, Anatsa requests accessibility services to 'read PDF'. After 48 hours it injects fake overlays on the legitimate bank app when the user opens it, stealing credentials and OTP in real time. A Padua accountant lost 14,500 EUR in three night transactions.

Mythos analyzed the APK: signing certificate linked to a known Anatsa cluster, manifest with accessibility and overlay permissions, binary hash in threat-intel feeds. The dossier linked the victim to a wider campaign with over 4,200 infected devices in Italy.

What Mythos can do on this case

  • Static APK analysis: manifest, permissions, signing certificate, hashes
  • Binary comparison with threat-intel feeds (known banking trojans)
  • iOS .mobileconfig profile verification: payload, CA, MDM endpoint
  • String extraction and C2 endpoint discovery from the binary
  • Technical dossier for complaint and device-restoration support

Next steps

Analyze the app with MythosTalk to Mythos