Fake YouTube and TikTok Apps Deliver Android Banking Trojan
F6 researchers warn that threat actors are distributing an Android banking trojan disguised as enhanced and "18+" versions of popular apps, including YouTube and TikTok. Since early October 2025, analysts detected over 30 domains used to spread the malware.
Attackers created a network of malicious websites impersonating YouTube and TikTok—platforms with restricted access in Russia. The malware masquerades as apps like TikTok 18+, YouTube Max, YouTube Boost, YouTube Mega, YouTube Ultra, YouTube Plus, YouTube Ultima Edition, YouTube Pro, YouTube Advanced, and "Youtube-Plus," promising ad-free viewing, 4K video, and functionality even with poor connectivity. Attackers also disguised the trojan as navigation apps, online traffic police post maps, and fine payment applications.
The attackers registered domains in the .ru, .top, .pro, .fun, .life, .live, .icu, .com, and .cc zones. Website names incorporate familiar brands and terms like ultra, mega, boost, plus, and max. Russian search engines indexed all the sites.
"We first recorded cases of such websites being created in the summer of 2025. In the autumn, after the start of the school year, there was a surge in domain registrations that the attackers used to host malicious applications," said Alexander Sapov, Senior Second-Line Analyst at the CERT department of F6's Digital Risk Protection.
Each site functions as a landing page promising users no ads, 4K video downloads, background music mode, and access to blocked content. Users are prompted to download and install an APK file containing the malware.
The trojan reads and sends SMS messages, makes calls, collects contact and installed app information, obtains network data, and launches automatically at device startup. The malware displays its own interface elements over other windows, granting attackers full device control. Threat actors can monitor victim actions, transmit data covertly, and perform actions on behalf of users. The attacks aim to steal financial data.
All domains associated with this campaign have been blocked, though researchers expect attackers may register new domains and continue operations.
"The throttling of YouTube and the restricted access to new TikTok videos in Russia has led to a multitude of offers to bypass restrictions. This situation could not fail to be exploited by threat actors who disguise malicious applications as various popular programs," said Alexander Bondal, Senior First-Line Analyst at the CERT department of F6's Digital Risk Protection.