Table of Contents
A sophisticated mobile malware campaign targeting Indian banks has compromised nearly 50,000 users by intercepting SMS messages, stealing banking credentials and exposing personal data.
Large-Scale Mobile Attack
zLabs researchers analyzed nearly 900 malware samples and found a coordinated effort to exploit Android devices. The malware, categorized as a banker Trojan, masquerades as a legitimate banking or government app and spreads through WhatsApp as an APK file. Once installed, it requests sensitive information, including:
-
Aadhaar and PAN card details
-
Credit and debit card information
-
ATM PIN and mobile banking credentials
The malware uses live phone numbers to forward SMS messages – a deviation from conventional command-and-control (C2) techniques.
zLabs has identified around 1000 phone numbers involved in the campaign and has shared them with local authorities.
Read more on mobile banking security risks: New Octo2 Malware Variant Threatens Mobile Banking Security
Data Exposure and Attack Methods
The researchers also discovered 222 Firebase storage buckets containing 2.5GB of sensitive data, including bank messages, financial credentials and government IDs. Exposed user data was found in unsecured endpoints, making it accessible to unauthorized individuals.
The malware employs three primary attack methods:
-
SMS forwarding: Redirecting stolen messages to attacker-controlled numbers
-
Firebase exfiltration: Sending stolen SMS to a Firebase C2 server
-
Hybrid: Using both methods to exfiltrate one-time passcodes (OTPs) and messages
“The reliance on one-time passcodes, delivered via SMS, underscores a critical weakness in multi-factor authentication,” warned Jason Soroko, a senior fellow at Sectigo.
“OTPs are inherently vulnerable to interception and redirection, making them an insufficient defense against sophisticated attacks. This incident is a stark reminder that modern security demands stronger, more resilient MFA methods beyond the NIST deprecated SMS-based approach.”
Over 1000 malicious applications have been analyzed, with evidence of code obfuscation and hardcoded exfiltration points.
Analysis of the attackers’ SIM locations traced most phone numbers to West Bengal, Bihar and Jharkhand, accounting for 63% of the total. Additionally, bank-related SMS messages were extracted to identify targeted financial institutions. Attackers used fake app icons to impersonate well-known Indian banks and government schemes, boosting credibility and reach.
Defense Against Threats
“These sophisticated malicious apps underscore the importance of safeguarding oneself against mobile threats,” commented Ray Kelly, a fellow at Black Duck.
“Users should never install apps through unverified third-party sources, as they cannot be trusted and may contain malware. To reduce risk, apps should only be downloaded from the official Google Play Store, which includes security measures like Play Protect to detect harmful software.”
Additionally, enterprises should deploy advanced mobile security solutions with real-time, on-device security using machine learning and behavioral analysis to detect threats before they compromise user data.
