Security researchers have discovered a new piece of malware called TCLBANKER that is specifically designed to steal your banking and cryptocurrency login details. What makes it unusually dangerous is how it spreads: once it infects a device, it silently hijacks the victim’s WhatsApp account and Microsoft Outlook to send infected links to all their contacts — meaning the message can look like it came from someone you trust.
TCLBANKER targets more than 59 banking, financial, and cryptocurrency apps. When you open one of those apps, it covers your screen with a convincing fake login page to capture your credentials. The malware is currently focused on Brazil, but researchers at Elastic Security note that similar Brazilian banking trojans have expanded to other countries in the past.
How to check if you’re affected
Affected versions include Android phones running versions older than Android 12, where security restrictions on screen overlay attacks are weaker. If you’re in Brazil or communicate regularly with people there, pay extra attention.
- Check your WhatsApp sent messages: If you see messages in your “Sent” folder that you didn’t write — especially ones with unfamiliar links — your account may have been hijacked.
- Review your Outlook sent items: Look for emails you didn’t send. TCLBANKER uses Outlook to forward infected messages to your email contacts automatically.
- Keep Android updated: Go to Settings → About Phone → Software Update to make sure your device is running Android 12 or later, where overlay attacks are harder to pull off.
- Never tap unexpected links in WhatsApp or email, even from people you know — ask them directly if you’re unsure whether they sent something.