New Banking Attacking Users of Indian banks to Steal Aadhar, PAN, ATM & Credit Card PINs

A sophisticated malware campaign, dubbed “FatBoyPanel,” has been uncovered by cybersecurity researchers, targeting users of Indian banks.

This campaign, consisting of nearly 900 malware samples, is designed to steal sensitive financial and personal information, including Aadhaar numbers, PAN cards, ATM PINs, and credit card details.

The malware primarily exploits Android devices and poses a significant threat to digital banking security in India.

How the Malware Operates

The malware is distributed via WhatsApp as APK files that masquerade as legitimate government or banking applications.

Once installed, these malicious apps mimic the user interface of real banking apps to deceive users into providing sensitive information.

Key details targeted include Aadhaar and PAN numbers, credit and debit card credentials, ATM PINs, and mobile banking login details.

One of the malware’s most alarming features is its ability to exploit SMS permissions on compromised devices.

It intercepts and exfiltrates one-time passwords (OTPs) and other sensitive messages, enabling unauthorized transactions.

The malware employs advanced stealth techniques to hide its presence and resist uninstallation, ensuring persistence on infected devices.

Variants and Data Exposure

The FatBoyPanel malware family includes three distinct variants:

1. SMS Forwarding: Captures SMS messages and forwards them to attacker-controlled phone numbers.
2. Firebase Exfiltration: Sends stolen SMS data to Firebase endpoints acting as command-and-control (C&C) servers.
3. Hybrid: Combines both methods for data exfiltration.

Researchers identified over 1,000 malicious applications linked to this campaign.

These apps use techniques like code obfuscation to evade detection and make reverse engineering challenging.

Alarmingly, data exfiltrated through Firebase endpoints was found to be publicly accessible due to a lack of authentication mechanisms.

This exposed sensitive information of approximately 50,000 users, including bank account details and government-issued IDs.

Zimperium analysis of the attackers’ phone numbers revealed that most were registered in regions such as West Bengal, Bihar, and Jharkhand.

The campaign also impersonated several prominent Indian banks by replicating their app icons and interfaces to enhance credibility.

To mitigate risks:

• Users should download banking apps only from official app stores.
• Multi-factor authentication (MFA), such as biometric verification or OTPs, should be enabled for added security.
• Avoid clicking on suspicious links or installing APK files from unknown sources.

The increasing reliance on digital payments in India underscores the importance of robust cybersecurity measures.

Both individuals and institutions must remain vigilant against evolving threats like the FatBoyPanel campaign to safeguard financial data effectively.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free