Cybersecurity researchers at CYFIRMA have uncovered a sophisticated Android banking malware campaign targeting Indian users through fake banking applications designed to steal credentials, intercept SMS messages, and conduct unauthorized financial transactions.
The malicious software employs advanced techniques, including silent installation mechanisms and Firebase cloud infrastructure for command-and-control operations, posing significant threats to mobile banking security across the country.
The malware operates through a two-stage infection process involving a dropper application and a primary payload, both of which are designed to evade detection while maintaining persistent access to compromised devices.
Security analysts identified two specific malware samples with SHA256 hashes ee8e4415eb568a88c3db36098b7ae8019f4efe565eb8abd2e7ebba1b9fb1347d and 131d6ee4484ff3a38425e4bc5d6bd361dfb818fe2f460bf64c2e9ac956cfb13d that demonstrate the campaign’s technical sophistication.
The attack begins with a dropper application that tricks users into enabling the “Install Unknown Apps” permission through fake update popups.
Once granted, the malware exploits the REQUEST_INSTALL_PACKAGES permission to install additional payloads without the user’s awareness.
The dropper leverages Android’s FileProvider functionality to generate URIs and uses the INSTALL_NOW flag to bypass user interaction during the installation process.
The primary payload deliberately hides itself from users by setting its activity category to INFO instead of LAUNCHER, making the malicious app invisible in the device’s app list while remaining active in the background.
This stealth technique allows the malware to operate undetected while harvesting sensitive information, including SMS messages, phone numbers, and banking credentials, through sophisticated phishing interfaces that closely mimic legitimate banking applications.
The malware demonstrates extensive data collection capabilities through abuse of critical Android permissions, including READ_SMS, SEND_SMS, READ_PHONE_STATE, and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS.
These permissions enable the malware to intercept two-factor authentication codes, monitor call forwarding activities, and maintain persistence even after the device is rebooted.
Particularly concerning is the malware’s use of Firebase Realtime Database for command-and-control operations, which enables attackers to execute commands and remotely exfiltrate stolen data.
The application can manipulate call forwarding settings using USSD codes formatted as **21*number# to redirect incoming calls to attacker-controlled numbers, facilitating sophisticated social engineering attacks against victims.
Security experts warn that the malware’s modular architecture, featuring specialized classes for account credentials (Account class) and debit card information (Debit class), indicates a highly organized cybercriminal operation.
The campaign emphasizes the pressing need for enhanced mobile security measures and user education about the risks associated with installing applications from unauthorized sources, as attackers persist in exploiting legitimate cloud services and social engineering tactics to compromise Indian banking customers.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…