BankBot is a remotely controlled Android banking trojan capable of harvesting banking details using fake login forms for a number of apps, intercepting text messages in order to bypass 2-factor-authentication, and displaying unsolicited push notifications.

Misuse of Android Accessibility has been previously observed in a number of different trojans, mostly outside Google Play. Recent analyses from SfyLabs and Zscaler have confirmed that the crooks spreading BankBot managed to upload an app with the Accessibility-abusing functionality to Google Play, only without the banking malware payload.

The “complete puzzle” featuring the banking malware payload that managed to sneak into Google Play masqueraded as a game named Jewels Star Classic. The attackers misused the name of popular legitimate game series Jewels Star that is not connected to this malicious campaign.