At CYFIRMA, our dedication to providing timely intelligence on emerging cyber threats is unwavering. Our latest report delves into a sophisticated Android malware that masquerades as legitimate banking applications in India, aiming to facilitate credential theft, surveillance, and unauthorized financial activities. This malware employs advanced techniques such as silent installation, exploitation of Android permissions, and remote command execution to evade detection and ensure persistence. Utilizing Firebase for command-and-control operations and phishing pages that mimic authentic banking interfaces, it seeks to deceive users and compromise their security. This analysis aims to enhance awareness and fortify defenses against mobile banking threats.
EXECUTIVE SUMMARY
The malware operates through a modular architecture comprising a dropper and a main payload. It employs deceptive user interfaces, silent installation mechanisms, and extensive abuse of Android permissions. Our analysis reveals the malware’s capabilities, which include SMS interception, data exfiltration, debit card data harvesting, call forwarding abuse, and remote command execution. The use of Firebase infrastructure for command-and-control operations, coupled with stealth techniques such as hidden launcher activities, allows the malware to evade detection effectively. The report highlights critical behaviors, permissions, and infection tactics, providing essential insights for defenders and analysts monitoring mobile threats.
STATIC ANALYSIS
Permissions of a Dropper
The malicious banking APK, referred to as the Dropper, requests several Android permissions that enable key functions for reconnaissance, persistence, and privilege escalation:
- android.permission.ACCESSNETWORKSTATE: This permission allows the application to monitor network connectivity, ensuring that payload delivery or data exfiltration occurs only when a stable connection is available, thus minimizing detection risks.
- android.permission.REQUESTINSTALLPACKAGES: A highly sensitive permission that enables the app to prompt the installation of additional APKs from unknown sources, often abused to drop secondary payloads without user awareness.
- android.permission.QUERYALLPACKAGES: This permission grants visibility into all installed apps on the device, allowing threat actors to tailor attacks based on the presence of security or banking applications.
Fig: Permissions of a Dropper
Silent Installation Mechanism Used by Android Banking Droppers
The malicious Android dropper loads a hidden APK or base payload from the app’s assets folder and writes it to external storage. It utilizes FileProvider to generate a URI and prompts the user to install the secondary APK using an intent. The INSTALL_NOW flag triggers this process without further user interaction, a tactic commonly seen in banking Trojans to bypass app store checks.
Fig: Silent Main APK Installer
Abuse of Permission Activity
The PermissionActivity requests the REQUESTINSTALLPACKAGES permission, allowing the malware to install further payloads. On devices running Android 8.0 and above, if the permission isn’t granted, the user is redirected to the “Manage Unknown App Sources” settings page, tricking them into allowing installations from unknown sources. A delay is introduced to reattempt the process once permission is granted, enabling the APK installation in the background.
Fig: Permission Request Flow
Permissions of a Main Payload
The main APK requests permissions that support malicious activities such as data theft and stealthy operation:
- READ_SMS: Allows the app to read incoming SMS messages, facilitating the theft of OTPs and sensitive information.
- SEND_SMS: Grants the ability to send SMS messages, potentially spreading malware or controlling banking apps.
- RECEIVE_SMS: Enables interception of incoming SMS messages, used for monitoring or stealing verification messages.
- REQUESTIGNOREBATTERY_OPTIMIZATIONS: Ensures persistent background activity without being killed by the system.
- READPHONESTATE: Provides access to phone details, aiding in device fingerprinting and user tracking.
- RECEIVEBOOTCOMPLETED: Triggers app restart after device boot, ensuring the malware runs automatically upon reboot.
Fig: Permissions of the main payload
Main Payload
The main payload deliberately hides itself from the user’s app list by setting its activity category to INFO, allowing it to run silently in the background without showing any icon. This technique is commonly employed by malware to avoid detection while remaining active.
Fig: Hidden App
Modular Class Functions
Within the malware, separate classes are implemented to execute specific malicious tasks. For instance, the Account class is responsible for harvesting user credentials, while the Debit class focuses on collecting debit card information. The AutostartHelper class ensures persistence by enabling the malware to restart automatically upon device boot.
Fig: Modular Class Functions
Data Theft
The main payload’s phishing page mimics a legitimate banking app by validating user inputs, enforcing basic input validation to appear authentic and effectively capture user data.
Fig: User Input Validation
Debit Card Stealer
This malicious Android app is designed to steal debit card information by validating that the CVV is exactly three digits, the card number is 19 characters long, and the ATM PIN is four digits. If any condition fails, it displays a warning message and halts further execution.
Fig: Debit Card Input Validation
Data Exfiltration
The malicious APK saves a local key-value pair and retrieves a locally stored user ID, creating a Firebase Realtime Database reference for user-specific data storage or retrieval.
Fig: Debit Card Data Exfiltration
FCM-Based Command and Control
The malware embeds Firebase configuration keys to connect to Firebase services, facilitating covert communication for data exfiltration.
Fig: Command and Control
Remote SMS Data Exfiltration
The malware monitors incoming SMS messages, capturing critical metadata and leveraging Android’s SubscriptionManager to identify the active SIM slot and associated phone number. This information is subsequently exfiltrated to a remote server.
Fig: SMS Data Stealing
Call Forwarding
The app processes push notifications to extract data fields and attempts to silently forward incoming calls to an attacker-controlled number without user consent.
Fig: Call forwarding abuse logic
DYNAMIC ANALYSIS
The dropper executes by displaying a fake update popup designed to trick the user into enabling the ‘Install Unknown Apps’ permission, allowing the main payload to bypass standard security checks. The main payload then requests SMS permissions and mimics a legitimate banking app’s phishing page.
EXTERNAL THREAT LANDSCAPE MANAGEMENT
On April 3, 2025, an APK sample impersonating a legitimate Indian banking application was observed, underscoring ongoing trends in mobile-based credential theft and financial fraud. Cybercriminals developing malicious banking apps often employ deceptive techniques to increase their success rates, using icons, app names, and user interfaces that closely resemble legitimate banking applications.
RECOMMENDATIONS
Strategic Recommendations
- Enforce Regulatory Compliance for Financial App Ecosystems: Financial institutions should adhere to stricter mobile application security standards, requiring regular security audits and proactive threat modeling.
- Launch Public Awareness Campaigns: Government and industry-backed campaigns should target mobile users to raise awareness about malicious APKs and the dangers of sideloading apps.
Tactical Recommendations
- Implement Threat Intelligence-Driven Filtering: Internet service providers should integrate real-time threat intelligence to block access to known malicious domains.
- Monitor and Takedown Malicious Infrastructure: Cybersecurity teams must actively hunt and report abuse of cloud platforms used for malicious payload hosting.
Operational Recommendations
- Deploy Mobile Endpoint Detection and Response Solutions: Organizations should implement solutions that can detect behaviors indicative of malware in real time.
- Restrict Installation of APKs from Unknown Sources: Mobile device policies should block installations from unknown sources by default.
