Phony Banking Rewards Apps Put in Details-stealing RAT on Android Telephones

Microsoft 365 Defender Study Staff has released its findings on a new variation of a previously documented facts-stealer Android malware, highlighting that risk actors constantly evolve their assault spectrum.

Analysis Findings

According to Microsoft scientists, the malware is delivered in a at the moment active SMS marketing campaign and masqueraded as a banking rewards application. The campaign’s main targets are Indian bank prospects. It starts off with menace actors sending out messages that contains a URL that in essence lures the recipient into downloading the malware.

Upon user conversation, it shows a splash screen with the financial institution logo and proceeds to inquire the user to help certain permissions for the app.

The an infection chain starts off with an SMS message requesting the receiver to claim a reward from an Indian financial institution. This information contains a destructive link redirecting the consumer to downloading a pretend banking rewards software. This app is detected as: “TrojanSpy:AndroidOS/Banker.O”

The app’s C2 server is joined to 75 unique destructive APKs, all of which are centered on open up-supply intelligence. The study staff identified several other campaigns targeting Indian lender consumers, together with:


Their investigation revolved about icici_rewards.apk, represented as ICICI Rewards. The malicious website link inside the SMS message installs the APK on the recipient’s cell device. Right after set up, a splash screen exhibiting the bank emblem asks the person to help particular permissions for the app.

Fake Banking Rewards Apps Install Info-stealing RAT on Android devicesFake bank SMS with a malicious backlink – Malicious app asking for permission – Destructive application asking for consumer knowledge

Malware Investigation

In accordance to Microsoft’s website put up, what would make this new model various is the inclusion of extra RAT (remote accessibility trojan) abilities. What’s more, this malware is very obfuscated. Its RAT abilities permit attackers to intercept crucial gadget notifications, for occasion, incoming messages, and also attempt to seize 2FA messages that the consumer requirements to entry banking/economic apps.

The malware can steal all SMS messages and other details, these as OTP (1-time-password) PII (personally identifiable information and facts), to assistance steal sensitive details for e mail accounts.

The malware operates in the qualifications, applying MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid characteristics to carry out its routines and guarantees these hold jogging to manage persistence on the mobile unit.

The MainActivity (launcher activity) is released 1st to display the splash display and then phone calls OnCreate() method for checking the device’s world-wide-web connection. It also documents the malware set up timestamp. Authorization_Action introduced authorization requests and later on termed AutoStartService, the malware’s key handler, and login_kotak.

Fake Banking Rewards Apps Install Info-stealing RAT on Android devicesSMS campaign attack flow

This malware’s continuing evolution highlights the will need to safeguard mobile products. Its broader SMS thieving abilities might allow attackers to the stolen facts to further more steal from a user’s other banking applications. Its potential to intercept one particular-time passwords (OTPs) despatched around SMS thwarts the protections provided by banks’ two-component authentication mechanisms, which end users and institutions depend on to hold their transactions harmless.Microsoft 365 Defender Exploration Crew

To mitigate the menace, Android device end users ought to disable the Unidentified Sources option to reduce application set up from unverified resources. And they ought to depend on credible cell security answers to detect malicious applications.

Linked News

SpyNote Trojan (RAT) But One more Bad Information for Android UsersBRATA Android malware manufacturing unit resets telephones soon after stealing fundsNew MaliBot Android Malware Discovered Stealing Personal, Banking DataFake Netflix, WhatsApp, Fb Android Applications Consist of SpyNote RATNew Russian Android Malware Tracks GPS Locale and Spies on Victims

Photo voltaic Information