Beware! Fake SBI Reward APK Attacking Users To Deliver Android Malware

Cybersecurity experts have uncovered a new Android malware campaign targeting unsuspecting users through a fake SBI Reward app.

Disguised as an official State Bank of India (SBI) rewards application, the malicious APK file is being distributed via WhatsApp messages.

The fake application is actively luring victims with promises of redeeming reward points worth ₹9,980.

This campaign highlights the growing sophistication of phishing attacks leveraging trusted brands to deceive users.

Cybersecurity professional, Anurag affirmed in his “Malwr-Analysis” blog that the attack begins with a WhatsApp message claiming that the recipient’s SBI reward points are about to expire.

The message includes a link to download an APK file named “SBI REWARDZ POINT 1.apk” (4.20 MB).

Once installed, the app requests excessive permissions, including access to SMS, contacts, call logs, and storage—permissions commonly abused by malware.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Technical Observations

APK Permissions

The malicious app’s AndroidManifest[.]xml reveals its intent to exploit device features:-

• Permissions requested: Internet access, SMS reading/sending, call handling, and storage access.
• Services and receivers: Components like SmsReceiver and BootBroadcastReceiver are designed to intercept SMS messages and execute tasks during system boot.

Network Traffic

Dynamic analysis using tools like Wireshark revealed that the app establishes connections with two command-and-control (C2) servers:

1. wss://socket.missyou9[.]in
2. https://superherocloud[.]com

These servers are used to exfiltrate sensitive data such as:-

• Device manufacturer and model
• Android version
• SIM details
• Mobile number

Additionally, the app periodically sends updates to these servers, exhibiting beaconing behavior.

Keylogging and Phishing

The fake app mimics legitimate SBI login pages to harvest user credentials, including:-

• Username and password
• Debit/credit card details (number, expiry date, CVV)
• OTPs for financial transactions

Captured credentials are transmitted to the server superherocloud[.]com, which was registered just two months ago.

Static analysis uncovered hardcoded URLs and references to financial APIs within the APK’s code. A suspicious name, “Kritika,” was also found in log statements, potentially identifying the developer or a debugging artifact.

The APK was flagged by 25 out of 67 antivirus engines on VirusTotal as a trojan. The domains associated with this campaign have been linked to similar malicious activities impersonating other banking apps.

This attack is a clear attempt to exploit user trust in SBI branding while creating urgency through fake reward expiration claims. Victims risk losing sensitive banking information, which could lead to unauthorized financial transactions.

As a recommendations, researcher urged to follow the guidelines mentioned below:-

1. Avoid downloading APK files from unverified sources.
2. Verify suspicious messages with official bank channels.
3. Install apps only from trusted platforms like Google Play Store.
4. Use antivirus software to detect malicious apps.
5. Be cautious of messages creating urgency or offering rewards.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar