Fake Indian Banking Apps on Android Steal Login Credentials from Users

A recently discovered malicious Android application has raised alarms within the cybersecurity community by masquerading as legitimate banking apps in India. This sophisticated malware is designed to facilitate credential theft, conduct surveillance, and execute unauthorized financial transactions, posing significant risks to users’ sensitive information.

The malware operates on a modular architecture, featuring a dropper and a primary payload. It employs deceptive user interfaces and silent installation techniques, exploiting extensive Android permissions to evade detection and maintain persistence on infected devices.

In-Depth Malware Analysis

Utilizing Firebase for its command-and-control (C2) operations, the malware generates phishing pages that closely resemble authentic banking interfaces. This strategy effectively deceives users into providing sensitive data, thereby compromising their security.

A static analysis of the dropper reveals a range of permissions it requests, including:

• ACCESSNETWORKSTATE: Monitors connectivity to facilitate stealthy data exfiltration.
• REQUESTINSTALLPACKAGES: Prompts the installation of secondary APKs without user awareness.
• QUERYALLPACKAGES: Profiles installed apps to specifically target banking software.

The dropper cleverly loads a hidden payload from its assets folder, writes it to external storage via FileProvider, and initiates installation using an INSTALL_NOW flag. This method allows it to bypass app store scrutiny and deploy itself in the background, reminiscent of tactics employed by advanced banking Trojans.

Upon deeper examination, the main payload requests additional permissions such as:

• READSMS, SENDSMS, and RECEIVE_SMS: These permissions enable the interception and exfiltration of one-time passwords (OTPs) and two-factor authentication (2FA) codes.
• REQUESTIGNOREBATTERY_OPTIMIZATIONS: Ensures uninterrupted background execution.
• READPHONESTATE and READPHONENUMBERS: Facilitate device fingerprinting, extraction of SIM data, and potential call forwarding abuse.

The payload operates discreetly, hiding from the app launcher by categorizing its activity as INFO, running silently without an icon. It employs modular classes for various malicious functions, including credential harvesting and card detail theft, while ensuring boot persistence through the RECEIVEBOOTCOMPLETED permission.

Data exfiltration is conducted through Firebase Realtime Database, where user IDs and intercepted SMS metadata are stored. Local SharedPreferences are also utilized to keep key-value pairs for offline capture.

Dynamic analysis indicates that the dropper initiates with fake update popups, enticing users to enable ‘Install Unknown Apps.’ Subsequently, the payload requests SMS access and displays phishing pages that enforce input validation to appear legitimate.

Firebase Cloud Messaging (FCM) plays a crucial role in remote command execution, allowing unauthorized calls and real-time SMS monitoring. The embedded keys for sender ID, API, and storage buckets facilitate covert C2 operations. During investigations, the Firebase instance remained active but authentication-locked, highlighting its ongoing malicious use.

Evolving Threat Landscape

This malware, first observed on April 3, 2025, exemplifies the evolving trends in mobile financial fraud. Cybercriminals are increasingly cloning app icons, names, and user interfaces to mislead users into granting high-risk permissions for OTP theft and 2FA bypass.

Delivery methods for this malware are diverse, including:

• Smishing via fake SMS links
• Email phishing with embedded APKs
• WhatsApp bots
• Vishing calls posing as bank support
• SEO-poisoned fake websites
• Malvertising in apps
• Trojanized utilities like QR scanners
• QR/NFC attacks in public spaces
• Preloaded malware on counterfeit devices
• Exploitation of vulnerabilities such as accessibility services

This evasive banking Trojan underscores the critical need for layered defenses. Strategies should include user education on permission risks, rigorous app vetting processes, and anomaly detection within financial ecosystems to effectively combat such persistent threats.

Indicators of Compromise (IOCs)

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now