How Russian banks use Trojan apps to stay in the Apple App Store

What a Trojan application looks like for the West [ left] and for Russian users [right] (X/@uwukko)

Sanctioned banks in Russia are bypassing Apple's App Store verification process to stay in the App Store. Here's how they do it.

Apple is doing everything it can , to stay within the laws of the countries in which it operates, including developing its regional app stores to keep sanctioned apps out of them, but that doesn't stop companies that are effectively banned from the App Store from trying to stay in German

Sanctions against Russian banks in connection with the country's military activities in Ukraine since February 25 forced Apple to remove a number of applications from the App Store and block access to Apple Pay. Sanctions from the EU and the US have effectively prohibited access to the accounts of large Russian banks.

Although Russian banking apps are banned from the App Store due to sanctions, since Apple is an American company, bank customers in the country cannot access their accounts from their devices. To get around this problem, banks use Trojan apps to gain access to the App Store.

In a tweet thread on X, developer Wukko cites a recent example of how Russian bank Sber thwarted the App Store review process by hiding its banking app in another.

The app, released by a developer under the name “Prablin Hora”, was presented as a fake loan tracking app. Crucially for this ploy, the appearance of the lending app was only shown in Western countries, but Russian users saw the banking app instead.

The app determined the user's IP address and then showed the version of the app for that target audience. The configuration file is requested from a third-party server when the application is launched, and the file changes depending on the user's IP address.

The domain “” on which the file is located belongs to the CDN Video company, which, in turn, belongs to and was previously called

Although it is quite likely that the App Store review process was broken due to a change in configuration file verification, Vukko suggests that Apple may have smelled something fishy about the app from its version history. The first version of the app on the App Store was “just libraries” at around 37MB in size, while the second version, a mock accounting app, grew to 57.8MB.

The third version, which includes the banking app itself, is up to 232.8 MB in size, which is 175 MB more than the previous version.

Vukko adds that if you drag the path to the link to the configuration file, the address will take you to the APK page for the Android version of Sber.

Multiple Trojan banks

According to the tweeter, Sber is not the only bank doing this. Tinkoff, another sanctioned bank, also released its own Trojan app using a roughly similar trick.

The InvestCalendar application requested a configuration file from Firebase. However, Firebase blocks all requests from outside Russia, which means that only users in Russia receive the configuration file to switch the Trojan.

This app also saw a sharp increase in file size, from 5.2 MB to 159.6 MB.

“The purpose of this thread is to show that Apple doesn't actually review apps in the app store and is only picky when it benefits them and not the users,” Vukko writes, before expressing “insane respect”. banks for continuing to provide applications to customers in the “current political climate.”

Although Vukko states that “the amount of effort [banks] put into these secret apps is crazy,” he does offer a more sobering warning about the technique. “This can easily be abused to distribute malware instead of innocent banking applications.”

Apple has since taken action against the apps and removed them from the App Store.

App Store review rules include elements prohibiting the submission of apps with counterfeit features, as well as a rule that financial trading, investing, and money management apps must be submitted by the financial institution itself. Apps are also prohibited from “arbitrarily limiting who can use an app, such as by location or carrier.”

Leave a Reply

Your email address will not be published. Required fields are marked *