In a concerning development for mobile banking security, attackers are exploiting India’s growing reliance on digital financial services by distributing counterfeit Android applications that closely resemble the interfaces and icons of both public-sector and private banks. This alarming trend was first detected in telemetry logs on April 3, 2025, revealing a sophisticated campaign that utilizes various methods such as smishing texts, QR codes, and search-engine manipulation to deceive users into sideloading malicious packages.
Upon execution, a lightweight dropper decrypts and installs its true payload onto external storage, subsequently prompting users with a forged update dialog that mimics legitimate software updates. Analysts from Cyfirma reported that within just 48 hours of the initial discovery, over 7,000 devices attempted to connect to the same Firebase Cloud Messaging (FCM) endpoint, highlighting the extensive reach of this malicious campaign.
At the heart of this scheme lies the abuse of permissions. The malware employs the REQUESTINSTALLPACKAGES permission to circumvent Play Protect, while READSMS is used to capture one-time passwords (OTPs). Additionally, QUERYALL_PACKAGES allows the trojan to gain a comprehensive view of installed applications, setting the stage for overlay attacks that can further compromise user data.
The installer presents a deceptive user interface designed to harvest sensitive information, including phone numbers, 4-digit MPINs, and 3-digit CVVs, which are promptly uploaded to a private Firebase Realtime Database. Once these credentials are acquired, the malware executes a silent diversion of voice verification by sending a USSD string, *21attackerNumber#, which enables unconditional call forwarding to the attacker’s number.
To maintain persistence, the malware employs a BOOT_COMPLETED receiver and requests to ignore battery optimizations, ensuring that the malicious process continues to operate even after device reboots or aggressive power management measures. Security experts caution that such tactics can lead to complete account takeovers within mere minutes.
Infection Mechanism
The dropper cleverly conceals its secondary APK, app-release.apk, within the assets directory and installs it silently via FileProvider. The core logic of this operation is succinctly encapsulated in a few lines of Kotlin code:
val apk = File(filesDir, "app-release.apk")
assets.open("app-release.apk").copyTo(apk.outputStream())
val uri = FileProvider.getUriForFile(this, "$packageName.provider", apk)
startActivity(Intent(Intent.ACTION_VIEW).apply{
setDataAndType(uri,"application/vnd.android.package-archive")
addFlags(Intent.FLAGGRANTREADURIPERMISSION); putExtra("INSTALL_NOW", true)
})If the INSTALL_NOW command executes without user awareness, the PackageInstaller proceeds with the installation, and the new payload camouflages itself by declaring only an INFO category activity, thus evading detection as no launcher icon is displayed. Upon booting, an AutostartHelper reactivates services, while a SubscriptionManager call correlates active SIM slots with their respective numbers, ensuring that every intercepted SMS is accurately tagged with the correct sender before the JSON data is exfiltrated through FCM.
Organizations looking to bolster their defenses against such threats can benefit from enhanced phishing detection and real-time sandbox analysis, which can significantly improve protection measures. Try ANY.RUN now to experience faster and more accurate threat detection for your business.
