Android Users in India are being targeted by malicious applications that pretend to be banks and government agencies

Users of Android smartphones in India are the focus of a new malware campaign that makes use of social engineering techniques to persuade users to download and install fake applications that are capable of collecting sensitive data.

"Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities," researchers from Microsoft's threat intelligence team Abhishek Pustakala, Harshita Tripathi, and Shivang Desai said in an analysis published on Monday. "These messages are designed to lure users into installing a malicious app on their mobile device," the researchers explained.

The ultimate purpose of the operation is to get sensitive personal information, such as banking information, payment card information, account credentials, and other types of information about individuals.

The attack chains involve the dissemination of malicious APK files through social media messages sent on WhatsApp and Telegram by falsely presenting them as banking apps and inducing a sense of urgency by claiming that the targets' bank accounts will be blocked unless they update their permanent account number (PAN) issued by the Indian Income Tax Department through the bogus app. The malicious APK files are presented as banking apps. Inducing a sense of urgency involves claiming that the targets' bank accounts will be blocked.

After installation, the program prompts the victim to input their bank account information, debit card PIN, PAN card numbers, and online banking credentials. This information is then sent to a command-and-control (C2) server that is controlled by the actor as well as a hard-coded phone number.

Protection against cyberattacks

"Once all the requested details are submitted, a suspicious note appears stating that the details are being verified to update KYC," according to the investigators.

"The user is warned to wait thirty minutes before deleting or uninstalling the app," the message reads. In addition, the application has the capability to conceal its icon, which makes it vanish from the home screen of the user's device while it continues to operate in the background.

One further noteworthy feature of the virus is that it asks the user for permission to read and transmit SMS messages. This gives the malware the ability to steal one-time passwords (OTPs) and send the victims' messages to the threat actor's phone number via SMS.

There have been reports that variants of the banking trojan identified by Microsoft steal credit card information in addition to personally identifying information (PII) and incoming SMS messages, putting users who are not aware of the risk of financial theft in their hands.

It is important to note, however, that in order for these attacks to be effective, users will need to accept the ability to install applications from unknown sources outside of the Google Play Store. Only then will the assaults be successful.


"Mobile banking trojan infections can pose significant risks to users' personal information, privacy, device integrity, and financial security," according to the investigators. "These threats can often disguise themselves as legitimate apps and deploy social engineering tactics to achieve their goals and steal users' sensitive data and financial assets."

The revelation comes at a time when the Android ecosystem has also been under assault from an attack by the SpyNote virus. The SpyNote malware has targeted users of Roblox in the appearance of a mod in order to steal important information.

In another case, phony pornographic websites are being used as bait to trick users into installing malicious software for Android called Enchant. This malware is designed to steal information from bitcoin wallets and is distributed via fake adult websites.

"Enchant malware uses the accessibility service feature to target specific cryptocurrency wallets, including imToken, OKX, Bitpie Wallet, and TokenPocket wallet," according to Cyble in a newly released research.

"Its primary objective is to steal critical information such as wallet addresses, mnemonic phrases, wallet asset details, wallet passwords, and private keys from compromised devices."

In the last month, Doctor Web discovered many malicious applications on the Google Play Store that showed invasive advertisements (called HiddenAds), subscribed users to premium services without their knowledge or agreement (called Joker), and encouraged investment frauds by posing as trading software (called FakeApp).

Because of the avalanche of malicious Android applications, Google has been forced to reveal additional security capabilities for the operating system, such as real-time code-level screening for newly found apps. In addition, with the release of Android 13, it introduced limited settings, which prevent applications from gaining access to essential device settings (such as accessibility) unless the user has chosen to grant this access themselves.

Not just Google is involved. Late in October 2023, Samsung introduced a new Auto Blocker option. This option stops hazardous instructions and software downloads over the USB connection, and it inhibits the installation of apps from sources other than the Google Play Store and the Galaxy Store.

Users are urged to examine the integrity of the app developers, study reviews, and vet the permissions that are asked by the applications so that they do not download malicious software from Google Play or other reliable sources. This will allow users to avoid downloading harmful software.

Post a Comment