CYFIRMA recently disclosed Lazarus Stealer, a sophisticated Android banking malware targeting Russian users under the guise of a legitimate utility app called GiftFlipSoft. This trojan remains hidden from the device's interface, using high-risk permissions and stealth techniques to harvest sensitive credentials.
Lazarus Stealer requests intrusive permissions, including default SMS role, overlay capabilities, and usage access, allowing it to intercept one-time passwords, monitor app activity, and deploy phishing overlays onto genuine banking applications. It conceals itself by hiding from launchers and recent lists, dynamically loads phishing content via WebView, and runs persistent background services to exfiltrate data to its command-and-control infrastructure—all while remaining invisible to the user.
Zimperium’s Mobile Threat Defense (MTD) and Mobile Runtime Protection (zDefend) detect the reported sample with high accuracy and in a zero-day fashion. Beyond the threat as described, our proactive efforts identified 46 additional samples linked to the Lazarus Stealer campaign, expanding the known attack surface and reinforcing mobile defenses.
Why this matters: Lazarus Stealer exemplifies the evolving sophistication of mobile banking trojans—staying hidden, abusing privileged access, and adapting content in real-time to trick users. Its ability to intercept SMS, overlay fake login screens, and exfiltrate credentials makes it highly dangerous for financial institutions and users alike. Mobile defenses must detect misuse of SMS roles, overlay abuses, and anomalous network activity—all on-device.
Zimperium remains committed to uncovering and neutralizing emerging threats like Lazarus Stealer, delivering robust, real-time mobile protection.
For full technical details, see CYFIRMA’s report here.
The list of new IOCs can be found in this repository.
