Catelites: Android Malware That Faked Login Pages to Hijack Accounts

Reports suggesting that banking malware is on the rise once again keep coming out, and so it is important to remind ourselves how this malware operates. In this report, we analyze Catelites, an infamous banking malware that used fake apps on Android to attack unsuspecting users. This malicious threat was used primarily as a data stealer, and while it was, most likely, used to steal login credentials from banking apps, it could have stolen logins from any app that the user was opening. The only condition was that the infection could create an overlay for this app. According to reports by Avast and SfyLabs, the infection was able to overlay 2,200 banking apps at the time of analysis, and that is not a small number. Unfortunately, threats like Catelites are not uncommon, and they are likely to become even more prevalent in the near future.

To start the discussion on Catelites, we need to remember CronBot, a dangerous banking Trojan that was controlled by a group of attackers. The group was dismantled in 2017, and the Trojan, in theory, was stopped. Unfortunately, this did not stop other attackers from using the same techniques to create new infections. CronBot gave way to Catelites and, potentially, other malicious threats too. The original infection was able to invade over one million Android devices, and the attackers raked in over 900,000 US Dollars after gaining access to victims’ banking accounts. That is what Catelites was created for as well. After invasion, this malicious threat was supposed to trick users into disclosing their banking login details whenever they tried to access their banking accounts. To trick them, the infection used overlays to make it seem like they were interacting with legitimate login pages, not fake forms created by malware.

As with most infections, Catelites targeted vulnerable, unguarded Android devices, which reminds us once more how important it is to implement reliable security tools. The infection’s attacks also remind us how important it is to use trustworthy app sources. Android users are most likely to acquire apps from Google Play, which, as you might now, has been known to host malware apps in the past. This is done unintentionally, and kudos goes to cyber attackers, who are able to fool Google itself. Well, what if the app you want is not available on Google Play (for example, if it is not compatible with Android), or if the version on Google Play costs money? That is when you might try to find an alternative source, and that is a mistake. Trusting third-party app sources is dangerous because that is the breeding ground for malware. Unfortunately, Catelites proves how easy it is trick people into downloading fake apps via unreliable sources, with the help of malvertising, or using phishing scams.

After infiltration, Catelites could set up fake apps – such as Google Play, Gmail, or Chrome – to trick the user into interacting with it. The interaction would require the victim to grant the fake apps admin permissions, and that is a red flag that must not be overlooked at any point. If you are asked to grant admin permissions, you need to look into that app more closely. Better yet, delete it right away. Once fully established, the infection could easily drop overlays whenever the victim was trying to access online banking accounts via appropriate apps. Needless to say, with logins at hand, the attackers could easily gain access to your personal accounts. Unfortunately, it seems that Catelites was able to circumvent two-factor authentication by controlling incoming SMS messages too. Therefore, if you used verification codes sent via SMS to authenticate access to a banking account, the attackers could bypass this obstacle without much trouble. How does that work? The infection was able to intercept SMS messages as well as mute the ringer and lock the device to ensure that the victim did not see the incoming verification code.

Unfortunately, most victims realize that banking Trojans – such as Catelites – have invaded their systems only after they find their accounts emptied or when unauthorized transactions are discovered. Hopefully, that is not your situation, and you can still secure your accounts appropriately. First and foremost, we advise revising the apps installed on your device to check what kinds of permissions they have. You might want to revoke admin permissions for apps you cannot trust. Second, you need reliable protection, and it is best if you employ a trustworthy anti-malware app right now. Finally, you need to rethink your online behavior. Are you careful? How do you download apps? Do you make sure they are reliable first? Can you identify scams and fake apps? These are the questions you need to answer for yourself if you want to ensure that you use your Android device without a security glitch in the future.


Chrysaidos, N., Phuc, P. D. December 20, 2017. New malware targets accounts at over 2,200 financial institutions. Avast, SfyLabs.
Fadilpašić, S. July 26, 2019. Mobile banking malware sees huge rise. ITProPortal. 100% FREE spyware scan and
tested removal of Catelites: Android Malware That Faked Login Pages to Hijack Accounts*

Leave a Comment

Enter the numbers in the box to the right *