Security analysts from F6 (Digital Risk Protection) have identified a large-scale malicious campaign targeting Android users in Russia. Cybercriminals are distributing an Android banking trojan under the guise of “extended,” “premium,” and “18+” versions of popular apps such as YouTube and TikTok, promising access to blocked content and ad‑free video playback.
Android banking trojan campaign: infrastructure and scope
According to F6, since early October 2025 more than 30 domains have been discovered that are directly involved in spreading this malware. The first similar sites appeared in the summer of 2025, but a noticeable spike in domain registrations was recorded in the autumn, following the start of the academic year, when user activity and content consumption typically rise.
The attackers built a network of phishing websites imitating the branding of foreign video platforms YouTube and TikTok, whose official access in Russia is limited or unstable. These sites were indexed by Russian search engines, making it highly likely that users would encounter them through common queries such as “YouTube without ads” or “TikTok 18+ download APK”.
The domains were registered in multiple TLDs, including .ru, .top, .pro, .fun, .life, .live, .icu, .com, .cc. The names frequently contained familiar brands and “marketing” terms such as ultra, mega, boost, plus, max, creating the illusion of an official, enhanced or “premium” product.
Which fake Android apps are used to spread the trojan
Fake YouTube and TikTok 18+ APKs
The main lure in this campaign is a set of supposedly advanced or adult versions of well-known apps: TikTok 18+, YouTube Max, YouTube Boost, YouTube Mega, YouTube Ultra, YouTube Plus, YouTube Ultima Edition, YouTube Pro, YouTube Advanced and “YouTube-Plus”. The malicious sites promise users:
— watching videos without advertising;
— 4K support and video downloads;
— background audio playback;
— stable work over slow connections;
— access to blocked or “18+” content.
To obtain these features, victims are instructed to download and install an APK file from a third‑party site. Instead of a legitimate video client, the user receives a fully functional banking trojan with extensive capabilities.
Navigation apps, police checkpoints and traffic fine payments
In addition to fake video apps, the malware is disguised as navigation tools, online maps of road police checkpoints and applications for paying traffic fines. This vector targets a broad audience of drivers, who often look for such utilities outside official app stores and are more willing to enable the risky “Install from unknown sources” option in Android settings.
Capabilities of the Android banking trojan and compromised data
The analyzed malware exhibits the full feature set typical of modern Android banking trojans. After installation, the app requests elevated permissions and gains the ability to:
— read and send SMS messages, including one‑time banking codes;
— initiate and manage phone calls;
— collect contact lists and information on installed applications;
— access data about network connections;
— automatically start when the device boots;
— display its own interface elements over other apps (overlay attacks).
The overlay functionality is particularly dangerous. By drawing a fake login or payment form directly over a legitimate banking app, the trojan can invisibly intercept usernames, passwords, PINs and payment card data. This technique has been widely documented in global mobile banking malware families and remains highly effective against inattentive users.
In combination, these capabilities give attackers near full control over the infected device — from covert monitoring of user activity to initiating fraudulent transactions on behalf of the victim. The primary objective, as highlighted by F6, is theft of financial data and direct monetization through unauthorized payments and transfers.
Why users fall for fake YouTube and TikTok 18+ apps
Restrictions on access to YouTube and slower content updates on TikTok in Russia have created strong demand for alternative clients and “unblocked” versions of these platforms. Many users search for ways to bypass limitations and disable advertising, often overlooking basic security practices in the process.
Cybercriminals exploit several converging risk factors:
— shortage of official content and desire to bypass blocks;
— willingness to install APKs from untrusted websites;
— high level of trust in recognizable brands (YouTube, TikTok, navigation, government‑related apps);
— low awareness of how Android banking trojans operate and what permissions are dangerous.
Similar tactics have been repeatedly observed worldwide: industry reports from leading cybersecurity vendors show that banking trojans often masquerade as VPN services, messaging clients, “system cleaners” and ad blockers. In this campaign, the focus has shifted to video platforms and services popular with motorists, but the underlying social‑engineering logic remains the same.
How to protect Android devices from banking malware
F6 reports that, as of the time of publication, all domains identified in this campaign have been blocked. However, the cost of registering new domains is low, and attackers can rapidly recreate the same infrastructure with minimal changes. The most effective countermeasure is therefore not only blocking infrastructure, but changing user behavior.
To reduce the risk of infection with Android banking trojans, it is recommended to:
— install apps only from official stores (Google Play, vendor or corporate stores);
— avoid enabling “Install from unknown sources” unless absolutely necessary;
— critically review the permissions requested by any app, especially access to SMS, calls, accessibility services and overlay (“appear on top of other apps”);
— use reputable mobile security solutions capable of detecting banking malware and overlay attacks;
— monitor banking accounts and SMS for suspicious activity, and immediately contact the bank if unknown transactions, authorization prompts or pop‑up windows over banking apps appear.
Android has become the primary target platform for mobile malware worldwide, and the campaign uncovered by F6 shows how effectively cybercriminals combine social engineering, brand abuse and technical capabilities of banking trojans. Users who rely on unofficial APKs, especially for financial operations or popular entertainment apps, significantly increase their attack surface. Careful attention to download sources, permissions and unusual behavior of the device remains one of the most reliable defenses against the theft of digital and financial identities.
