Tuesday, July 23, 2024

Beware of Fake Indian Rewards Apps That Installs Malware on Your Devices

Microsoft 365 Defender Research Team analysed the new version of previously reported info-stealing Android malware, delivered through an SMS campaign. This new version has remote access trojan (RAT) capabilities, targeting the customers of Indian banks.

The Message contains links that points to the info-stealing Android malware, leading the user to download a fake banking rewards app.

The SMS Campaign Attack Flow

Researchers say, the fake app, detected as [TrojanSpy:AndroidOS/Banker.O], used a different bank name and logo compared to a similar malware reported in 2021.

“The malware’s RAT capabilities allow the attacker to intercept important device notifications such as incoming messages, an apparent effort to catch two-factor authentication (2FA) messages often used by banking and financial institutions”, Microsoft

This diagram illustrates the typical infection chain of this Android malware. The infection starts from an SMS message that contains a malicious link that leads to the malicious APK.
SMS Campaign Attack Flow

The command and control (C2) server is linked to 75 different malicious APKs, all of which are based on open-source intelligence. 

The research team identified many other campaigns targeting Indian bank customers, including:

  • Axisbank_rewards[.]apk
  • Icici_points[.]apk
  • Icici_rewards[.]apk
  • SBI_rewards[.]apk

While researching on icici_rewards[.]apk, it presents itself as ICICI Rewards. Initially, this SMS campaign sends messages that contain a malicious link, leading to install malicious APK on a target’s mobile device.

“To lure users into accessing the link, the SMS claims that the user is being notified to claim a reward from a known Indian bank”, Microsoft Researchers.

Screenshot of the SMS message received. The message contains a link and mentions the name of a legitimate India-based bank.

Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.

Screenshots of the fake app installed on the mobile device and where it states the Android permissions it needs to be enabled. The app uses an India-based bank's logo to appear legitimate.App installed on the Android device, Asks users to enable permissions on text messaging and contacts

It also requests users to enter their credit/debit card information as part of a supposed sign-in process, while the trojan waits for further instructions from the attacker.

These commands let the malware to collect system metadata, call logs, intercept phone calls, and steal credentials for email accounts such as Gmail, Outlook, and Yahoo.

“This malware’s new version adds several RAT capabilities that expands its information stealing. It enables the malware to add call log uploading, SMS message and calls interception, and card blocking checks”, Microsoft


  • Download and install applications only from official app stores.
  • Android device users can keep the Unknown sources option disabled to stop app installation from unknown sources.
  • Use mobile solutions such as Microsoft Defender for Endpoint on Android to detect malicious applications.

Download Free SWG – Secure Web Filtering – E-book


Latest articles

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles