Updated July 06, 2017 (originally published December 14, 2015) Updated July 06, 2017

Yasuo-Bot: Flexible, Customized, Fraudulent Content

2 min. read


Standard mobile banking trojans post their own fraudulent content over banking applications. The Yasuo-Bot malware takes it a step further by dynamically pulling fraudulent content from the C&C server.

Since 2010, mobile malware is on the rise. The first mobile Trojan launched was Zitmo (Zeus in the mobile), a mobile version of the most common PC Trojan, Zeus. That launch was followed by many different variants of e-banking mobile Trojans such as Perkele, iBanking, and more.

Nowadays, the majority of mobile Trojans mostly target Android devices using different techniques to gain administration permissions on the victim's device, steal the user's transaction authorization numbers (TANs), intercept SMS messages, grab credentials, present fraudulent content, perform automatic money transfers, and more. The main technique employed by mobile banking Trojans, which infect mobile phones and steal passwords and other data when the victim logs in to an online bank account, is posting the Trojan’s own fraudulent content over the actual legitimate application being presented to the user.

Yasuo Bot takes this technique one step farther, dynamically pulling the fraudulent content from the command and control (C&C) server and not from local, hard coded and preconfigured overlays.

This departure from earlier mobile malware design adds a dimension of flexibility to the malware and its operator, allowing for much greater tailoring and customization of the fraudulent content, and therefore a far greater number of targets the malware can potentially attack.

This new, flexible, and actively evolving malware brings its authors and users the ability to target a virtually endless number of legitimate applications. It also enables them to tailor the fraudulent content for each application without greatly increasing the size of the malware package.

To see the full version of this article, click "Download" below.


Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.


9 hrs

a critical vulnerability—with the potential for remote code execution—is released.