Monday, May 12, 2025
HomeAndroidDangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware...

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Published on

SIEM as a Service

Follow Us on Google News

A new Android malware that contains the functionalities of Banking Trojan, call forwarding, audio recording, keylogging and Ransomware Activities. The malware targeted the popular banking apps such as HFC, ICICI, SBI, Axis Bank and other E-Wallets.

The malware operator needs more user interaction to be a successful attack, it continues to force the users in a continuous loop until the permission for AccessibilityService is granted. By having the AccessibilityService enabled it allows the malware to abuse any permission without user concern.

Quick Heal researchers spotted the malware that performs a number of activities based on the commands received from the C&C server.

- Advertisement - Google News
Android malware

Android Malware Features

Once the targeted application is launched it displays an overlay phishing login form over its window and asks for confidential information such as the username and password. Overlay attacks allow an attacker to draw on top of other windows and apps running on the affected device.

Android malware

The main APK file is highly obfuscated and the strings are encrypted, it also adds junk data to make it difficult for reverse engineering.

It also uses to check whether the user has play protection enabled or not if it is not enabled it to display fake alerts “The system does not work correctly, disable Google Play Protect” and asks users to disable it.

Android malware

Also, researchers spotted that if the user’s trying to uninstall the application the malware shows an alert with “System Error 495” message.

Threat actors used Twitter accounts for C&C communication, attackers post the encrypted C&C server address in Twitter and the malware takes the encrypted address from Twitter account.

If the malware receives the command “cryptokey” it encrypts all the files in victim’s device and renames it with the extension “.AnubisCrypt”. Once the encryption is done it shows the ransom note and blocks windows screen by showing Window WebView.

Quick Heal Security Labs published a blog post with a complete list of targeted apps and Indicators of compromise.

Also Read

Trickbot Malware Re-emerging via MS Word Documents with Powerful Code-Injection Technique

PhishPoint – Hackers Uses New Phishing Technique To Steal User Credentials

16 Years Old Australian Teen Hacked into Apple’s Secure Network & Download the Sensitive Files

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core...

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded...

20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s...

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

“PupkinStealer” – .NET Malware Steals Browser Data and Exfiltrates via Telegram

A new information-stealing malware dubbed “PupkinStealer” has emerged as a significant threat to individuals...

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method...

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender...