A recent sophisticated mobile malware campaign has targeted Indian banks, affecting nearly 50,000 users by intercepting SMS messages, stealing valuable banking credentials, and exposing personal data. According to zLabs researchers, who analyzed close to 900 malware samples, there is evidence of a well-coordinated effort to exploit Android devices. The malware, identified as a banker Trojan, cleverly disguises itself as a legitimate banking or government application and spreads via WhatsApp as an APK file. Once installed, it proceeds to request sensitive information such as Aadhaar and PAN card details, credit/debit card information, ATM PINs, and mobile banking credentials.
What sets this malware apart is its utilization of active phone numbers to forward intercepted SMS messages, a departure from the more common command-and-control (C2) techniques. zLabs has pinpointed approximately 1000 phone numbers associated with this campaign and has shared this information with local authorities.
In addition to the compromising of user data, the researchers also found 222 Firebase storage buckets containing a total of 2.5GB of sensitive information, including bank messages, financial credentials, and government IDs. The exposed data was accessible through unsecured endpoints, posing a serious risk to the affected users. The malware employs three primary attack methods: SMS forwarding, Firebase exfiltration, and a hybrid approach combining both methods to steal one-time passcodes (OTPs) and messages.
Jason Soroko, a senior fellow at Sectigo, noted that the reliance on SMS-delivered OTPs underscores a critical flaw in multi-factor authentication, as they are susceptible to interception and redirection. This incident serves as a reminder of the need for stronger and more resilient MFA methods beyond the outdated SMS-based approach. Over 1000 malicious applications have been scrutinized, revealing code obfuscation and hardcoded exfiltration points.
By tracing the attackers’ SIM locations, it was determined that most of the phone numbers were linked to West Bengal, Bihar, and Jharkhand, comprising 63% of the total. Furthermore, bank-related SMS messages were extracted to pinpoint the targeted financial institutions. Attackers went to great lengths to impersonate well-known Indian banks and government schemes by using fake app icons, which helped in bolstering credibility and expanding their reach.
Ray Kelly, a fellow at Black Duck, emphasized the importance of safeguarding against mobile threats by refraining from installing apps from unverified third-party sources, as they could potentially contain malware. To minimize risk, users are urged to exclusively download apps from the official Google Play Store, which includes security measures like Google’s Play Protect to identify harmful software. Enterprises are advised to implement advanced mobile security solutions with real-time, on-device security features utilizing machine learning and behavioral analysis to proactively detect threats before they compromise user data.
In light of this concerning development, it is imperative for both individuals and organizations to remain vigilant and take necessary precautions to protect sensitive information and prevent falling victim to such malicious campaigns targeting mobile devices.