Researchers have discovered a new Android banking trojan targeting Indian users, and this malware disguises itself as essential utility services to trick users into providing sensitive information.
The malware has already compromised 419 devices, intercepted 4,918 SMS messages, and stolen 623 banking credentials.
As this active campaign continues, the number of affected devices and stolen data is likely to increase.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
Cybercriminals are leveraging WhatsApp’s immense user base in India to distribute malicious APKs, which, once installed, grant attackers unauthorized access to victims’ financial data.
By exploiting the trust and familiarity associated with messaging platforms, phishers can deceive users into downloading and executing harmful software, leading to potential financial loss and compromised personal information.
The malware, disguised as a gas bill payment app, leverages the PayRup logo to gain user trust.
Once installed and permissions granted, it prompts users for sensitive financial information, including card and bank details, which is then exfiltrated to a C2 server while the app displays a deceptive payment failure message.
It lacks the “android.intent.category.LAUNCHER” attribute in its AndroidManifest.xml, preventing its icon from appearing in the launcher and potentially allowing it to remain undetected on the device.
Malware exploited Supabase’s RESTful APIs to store stolen data and exposed a JWT token in plaintext, allowing unauthorized access to the Supabase instance.
Investigators discovered 5,558 records, including 4,918 SMS messages and 623 financial records, stored in the database, while the analysis of package names reveals a sophisticated scam operation with a focus on financial institutions and utility services.
Eight distinct package prefixes were identified, each corresponding to a specific scam theme, including major banks like Axis, ICICI, and Punjab National Bank, as well as regional banks and utility providers.
This strategic approach, coupled with the development of multiple variants within each theme, significantly enhances the effectiveness and resilience of their malicious campaigns, making detection and mitigation more challenging.
The malware actor has developed a mobile app to directly manage the C2 infrastructure, which, unlike previous malware, bypasses web interfaces and communicates directly with C2 servers.
It can remotely command infected devices to forward SMS messages to specified numbers. The app leverages Firebase Realtime Database for simple configuration data storage and retrieval, highlighting its focus on direct device control and data exfiltration.
McAfee research has identified 419 unique devices infected with a specific malware variant, which is expected to rise due to the continuous evolution and spread of new strains.
Given the prevalence of scams originating from messaging platforms like WhatsApp, users should exercise caution when interacting with messages from unfamiliar sources, while the deployment of robust security software capable of addressing emerging threats is strongly recommended.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
