What Are Infostealers?

Threats & Research

Reading time: 11 min
  • Blog post
  • Ennel Aurora
  • 2020
  • Detect and respond to attacks
Ennel Aurora



An infostealer is a piece of malicious software (malware) that tries to steal your information. More complex malware such as banking trojans (for example TrickBot) and stalkerware usually include infostealer components.

In most cases, this means stealing information that can make money for the cyber criminals.

Here are some things that criminals can steal and turn into money:

  • your bank card information can be used directly or resold to others who make purchases with your card,
  • your account logins can then be used to steal your past purchases (for example your Fortnite or Animal Crossing in-game purchases) which can be resold,
  • your account logins can buy new things if you saved your bank card,
  • your account logins can be sold themselves:
  • potentially photos and documents can be used for blackmail or monetized in other ways:
    • companies hit by ransomware increasingly face the prospect of their internal data and intellectual property being published online if they don’t pay
    • in 2014, a large number of famous women had extremely private photos stolen from their iCloud accounts and published, something that has significantly profited certain unethical message board and pornography website owners.

Criminals are creative and this is big, professional, business.

Bank Trojan Example

Android banking trojan example with step-by-step screenshots

Android banking trojan example with step-by-step screenshots

Infostealer attacks can be truly diabolical.

Take for example the workings of an Android banking trojan we saw spreading in 2017.

The user receives an SMS with a link to download an app with funny videos. When they install, they are asked to accept the permissions for the app. The user no doubt does this without checking, because anyway nobody understands all these permissions.

The app has a few real “funny videos” inside.

Still, its real job is to wait for you to open your banking app. When it sees you do this, it looks in its library of banking apps and uses the permission you gave it to draw on top of the login screen of your banking app with a fake exact copy of the login screen.

You enter your login details and it steals your username and password. At the same time, it logs you into the real app which is hidden behind the identical fake login screen, so that everything looks normal to you.

Now the trojan waits for you to finish with your bank. It then logs into your bank again without your help, and tries to transfer your money.

When this happens the bank sends you an SMS code to confirm payment – the app captures the code using another permission you gave it at install time, and even deletes the SMS message so you don’t know anything happened.


Not Only For Money

While money is by far the most common reason for infostealer attacks, it is not the only reason.

Like with the iCloud and many similar cases, information about our societies’ most vulnerable people (women, children, LGBTQIA+ people, people of colour, and others) is specifically targeted by those who seek to exploit those people, or to cause them violence.

We know that there are shameless “legal” companies who sell stalkerware, marketing it specifically to domestic abusers, abusive parents, and stalkers to be able to spy on and control their targets. This is why WithSecure is part of the industry-wide Coalition Against Stalkerware. Stalkerware are generally hidden trojans, which include a heavy part of infostealer technology – stealing a target’s photos, call history, chat history, location history, and more.

Infostealers are also used as part of cyber bullying, where access to a target’s accounts can be used to post embarrassing content, to remove friends, remove access, or as part of an overall gaslighting campaign.

More targeted attacks using infostealers are perpetrated by governments against activists, journalists, and opposition politicians, again with the help of shameless “legal” companies who sell this malware knowing how it will be used.

The infamous 2018 murder of journalist Jamal Khashoggi for example is believed to have involved infostealer techologies used against his colleagues, leading to the murder of one of his sources, and potentially having been used to know his schedule in advance in order to plan his murder.

Further in early 2020, we learnt about similar software being used against the world’s richest person, Jeff Bezos, likely because of reporting by the Washington Post newspaper that he owns.

How Common Are Infostealers?

According to WithSecure’s data just published in our H1 2020 Attack Landscape Report, infostealers now dominate the top 20 malware threats users are facing.

If you include trojans and RATs (Remote Access Trojans) that also contain infostealer elements, malware that steals your information make up 18 of the top 20 threats WithSecure has had to protect our users from.

Top 20 threats seen by F-Secure in H1 2020

Top 20 threats seen by WithSecure in H1 2020

Infostealers also dominate the spam email our users are receiving, with 75% of the coronavirus-themed email attachments we saw distributing either Lokibot or Formbook, infostealers that were found delivered in 38% and 37% of COVID attachments respectively.

Example of a real world spam email, pretending to be from a major bank, used to distribute the Lokibot infostealer/trojan.


In the last month in Finland, 131 of every 10K users had an infostealer or trojan infection attempt blocked by our software – 64% of all threats faced.

Top 10 threats detected by F-Secure End-Point Protection software in Finland in the Last Month (2020-Sep)

Top 10 threats detected by WithSecure End-Point Protection software in Finland in the Last Month (2020-Sep)


Threats detected by F-Secure End-Point Protection software in Finland in the Last Month (2020-Sep) split by type of threat

Threats detected by WithSecure End-Point Protection software in Finland in the Last Month (2020-Sep) split by type of threat


For Sweden it was 149 of every 10K users who had an infostealer or trojan infection attempt blocked by our software, or 47% of all threats faced.

Top 10 threats detected by F-Secure End-Point Protection software in Sweden in the Last Month (2020-Sep)

Top 10 threats detected by WithSecure End-Point Protection software in Sweden in the Last Month (2020-Sep)


Threats detected by F-Secure End-Point Protection software in Sweden in the Last Month (2020-Sep) split by type of threat

Threats detected by WithSecure End-Point Protection software in Sweden in the Last Month (2020-Sep) split by type of threat


How Do Infostealers Get Me?

The great majority of all malware infection, including infostealers, comes via spam emails.

The infection is either via an attachment to the email or a malicious website linked in the email.

For the websites, in recent years most infections come from tricking you into manually downloading and installing software from the site. We still see a minority of cases where direct infection happens without your help via “exploit kits”.

The same techniques that are used by spam email to trick people into installing and clicking are also used via SMS, Whatsapp, Facebook Messenger, and even via phone calls.

Again, criminals are creative and persistent. They only need a few people to click to make their whole campaign profitable.

In most cases, you are not specifically the target – rather the criminals are sending their bait to thousands or millions of people and waiting for a few people to click and make the criminal’s day.

There are a few common ways that criminals (and advertisers!) use to try to make us turn our brains off and just click.

These are things that should make you pause and step cautiously when you see them:

  • “Free” – just that word is enough in many cases to get a sale. Buyer beware!
  • Similarly, anything that is “too good to be true” – did you really just win an all-expenses paid trip around the world? Did you really just receive a list of all your bosses’ salaries by mistake? Probably not.
  • Urgency – “hurry hurry, only five minutes left” – if someone is trying to make you speed up, that is a very good time to slow down and look carefully.
  • Insider knowledge – they know your birthday, your boss’s name, and where you went to school, it must be real. Except all that information is easily available online. Don’t give them additional information before being sure they are who they say they are.
  • Authority – whether it is the FBI “catching you” doing something naughty on your computer, or your boss telling you to hurry and transfer a million dollars for a super secret deal, remember that it is very easy to pretend to be someone else via email, text, or other apps.

In all these cases, consider looking up the real phone number or email address of that person or organization on your internal company directory or your government/bank’s official website and calling back to check before taking an action.

Here are some more examples of tricks used in recent novel coronavirus related spam.

How Can I Stay Safe?

The main way to protect yourself against infostealers is to install good anti-malware software on your devices. Anti-malware software protects you in three main ways.

The first way is by directly stopping infostealer software that tries to install or run on your device. It can stop an infostealer both via recognising the bad software directly (so-called “signatures”) and by recognizing its behaviour (so-called “next-gen” detection).

The second way is via stopping you visiting the malicious websites that are the source of a lot of these infections – in other words “browsing protection”.

And the third way is specific to banking and online shopping where good anti-malware software will turn on additional protections when you connect to your bank’s website in order to confirm to you that it is not a fake, and also to stop other applications and browser tabs doing anything to interfere with your connection.

Of course, nothing will ever give you 100% protection, and not all attacks on your accounts and your information come via malware.

For this reason, one of the best things most people can do to improve their security is start using a password manager.

A password manager allows you to not worry even when your data for one service is exposed, because your password is both hard to crack, and even when cracked, it will only give the criminals access to one account, not all your accounts.

Not only that, a password manager is probably easier than whatever you do with your passwords today, thanks to easy autofill on all your devices, and never having to use “forgot my password”.

Keep Calm And Use A Password Manager laptop sticker

Keep Calm And Use A Password Manager laptop sticker

Of course at WithSecure, we are a bit biased!​ 😀 If you want, you can get our multi-device anti-malware solution and our password manager here. In addition, that bundle includes our ID Protection solution which will alert you if our dark/deep web scanners and human intelligence teams find your data in online breaches, and the bundle also includes our award-winning VPN solution.

Once you are using a password manager, and hopefully one that is notifying you whenever a breach of your data has been detected online, the next step is to turn on 2-factor (2FA) or multi-factor authentication (MFA) on as many of your accounts as possible.

MFA helps protect you even if your password is stolen, as the attacker will still need to get your token, in addition to your password, to be able access your information.

Remember the Android banking trojan above? That’s why it wanted permission to read your SMSes.

When you are turning on MFA, if possible set up MFA using a One Time Password (OTP) app on your phone (for example FreeOTP) or with a physical OTP generator like a Yubikey, instead of using SMS with your phone number.

OTP apps and physical keys are even more secure than SMS in cases where you are personally targeted, because so-called “SIM-swapping” attacks are not possible. If these options are not available, please do still turn on SMS-based MFA on your accounts.

Any MFA is better than no MFA!

The Last Line Of Defense Is You

Of course all these protections can still be bypassed if you give your password and the token to the attacker, whether by mistake or because you are coerced.

Mistakes happen, especially when we are busy, tired, and stressed. Still there is never a good reason to give someone your MFA token – try to remember this, and if in a moment of weakness you feel yourself starting to agree to do that, hopefully you will slow down and stop yourself.

If you are in a situation where you are being coerced to give access to your accounts and information, help is available. Examples include Operation Safe Escape and Le Refuge. If this applies to you, please be careful, where possible and safe for you, to only access these resources at times, places, and on devices that are not known to your abuser, for example at a public library.

If you are being blackmailed or harrassed with stolen non-consentual information, organizations such as the Cyber Civil Rights Initiative and specialist victims’ rights law firms such as C.A.Goldberg may be able to help you take back control.

If you an activist or a journalist and you think you may be targeted by state-sponsored infostealers, organizations like Citizen Lab may be able to help or point you towards local trusted experts.

Related posts

April 16, 2024

5 phases of a cyber attack: The attacker’s view

Cyber security is not something you do once and then you’re done. It is a continuous process that should be part of everything you do. However, no one has the resources to do everything perfectly. Thus, your goal should be constant improvement.

Read more
April 16, 2024

Of Cameras & Compromise: How IoT Could Dull Your Competitive Edge

The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.

Read more
April 16, 2024

How to decompile any Python binary

At WithSecure we often encounter binary payloads that are generated from compiled Python. These are usually generated with tools such as py2exe or PyInstaller to create a Windows executable.

Read more
April 16, 2024

The Chilling Reality of Cold Boot Attacks

What do you do when you finish working with your laptop? Do you turn it off? Put it to sleep? Just close the lid and walk away?

Read more