“Lazarus Stealer”: A New Android Trojan Is Stealing Financial Data from Russian Banks

A new CYFIRMA report has revealed the discovery of Lazarus Stealer, a highly sophisticated Android malware designed to steal sensitive financial credentials from users of Russian banking applications. Despite its name, Lazarus Stealer is unrelated to the notorious DPRK-linked Lazarus Group. Instead, as CYFIRMA clarifies, “The name ‘Lazarus Stealer’ stems solely from how it is labeled in its control panel by the developer and bears no relation to the nation-state actor.”

The malware masquerades as a seemingly benign app called GiftFlipSoft while executing malicious activities in the background. CYFIRMA’s analysis highlights how it “masquerades as the benign app GiftFlipSoft, hiding its icon from the launcher and excluding itself from the recent apps list, making it invisible to users.”

By leveraging permissions such as SMS access, overlay drawing, Usage Access, and MODIFY_PHONE_STATE, the malware gains deep control over infected devices. It is engineered to escalate its privileges by setting itself as the default SMS application, enabling it to intercept OTPs, suppress notifications, and even delete messages to cover its tracks.

The malware’s most dangerous capability lies in its ability to detect when a banking app is opened and deploy a counterfeit overlay to trick victims into entering sensitive information. According to the report:

“If the malware detects the target bank’s application package, it uses the ‘Draw Over Other Apps’ permission to display a counterfeit Bank page over the screen. The overlay presents a fake warning message, such as ‘Suspicious activity detected, please enter your card number to confirm your account,’ to deceive the user into providing sensitive banking information.”

These overlays are visually indistinguishable from legitimate interfaces, designed to harvest PINs, card numbers, and account passwords.

Lazarus Stealer maintains persistence through services like AppMonitorService and SMSForwardService, ensuring continuous monitoring even after device reboots. Data exfiltration is tightly coupled with a command-and-control (C2) infrastructure. The malware sends “device metadata (user ID, Android version, APK version, model) and SMS content to the attacker’s server” while receiving remote commands.

Operators have also built in a dynamic WebView system, which allows phishing content to be tailored per APK version, enabling targeted campaigns against specific banks or user groups.

CYFIRMA’s infrastructure analysis traced the malware’s control panels and associated Telegram accounts to a likely Russian-speaking developer. The report states:

“The panels primarily displayed content in Russian, strongly indicating that the developer is likely a Russian speaker, a conclusion further supported by the linked Telegram profile.”

Investigators linked the operator to a GitHub account, a presence on gaming forums, and activity on the Neverlose and CSDevs platforms. These findings suggest the developer’s origins in online gaming communities, later pivoting to cybercriminal activity.

Related Posts:

• Anatsa Resurfaces: Banking Trojan Targets North America via Google Play
• Temptation from Money: Lazarus APT extended to cryptocurrencies
• Typosquatting & Backdoors: Lazarus’ Latest npm Campaign
• Lazarus Group Deploys Electron-Based Malware to Target Cryptocurrency Enthusiasts