Fake Banking Rewards Apps Install Info-stealing RAT on Android Phones

The malware campaign is ongoing and one of its targets was ICICI bank in India.

Microsoft 365 Defender Research Team has published its findings on a new version of a previously reported info-stealer Android malware, highlighting that threat actors continuously evolve their attack spectrum.

Research Findings

According to Microsoft researchers, the malware is delivered in a currently active SMS campaign and masqueraded as a banking rewards app. The campaign’s primary targets are Indian bank customers. It starts with threat actors sending out messages containing a URL that basically lures the recipient into downloading the malware.

Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.

The infection chain starts with an SMS message requesting the recipient to claim a reward from an Indian bank. This message contains a malicious link redirecting the user to downloading a fake banking rewards application. This app is detected as: “TrojanSpy:AndroidOS/Banker.O”

The app’s C2 server is linked to 75 different malicious APKs, all of which are based on open-source intelligence. The research team identified many other campaigns targeting Indian bank customers, including:

  • Icici_points.apk
  • Icici_rewards.apk
  • SBI_rewards.apk
  • Axisbank_rewards.apk

Their research revolved around icici_rewards.apk, represented as ICICI Rewards. The malicious link inside the SMS message installs the APK on the recipient’s mobile device. After installation, a splash screen displaying the bank logo asks the user to enable specific permissions for the app.

Fake Banking Rewards Apps Install Info-stealing RAT on Android devices
Fake bank SMS with a malicious link – Malicious app asking for permission – Malicious app asking for user data

Malware Analysis

According to Microsoft’s blog post, what makes this new version different is the inclusion of additional RAT (remote access trojan) capabilities. Moreover, this malware is highly obfuscated. Its RAT capabilities allow attackers to intercept critical device notifications, for instance, incoming messages, and also try to capture 2FA messages that the user needs to access banking/financial apps.

The malware can steal all SMS messages and other data, such as OTP (one-time-password) PII (personally identifiable information), to help steal sensitive information for email accounts.

The malware runs in the background, using MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid features to carry out its routines and ensures these keep running to maintain persistence on the mobile device.

The MainActivity (launcher activity) is launched first to display the splash screen and then calls OnCreate() method for checking the device’s internet connection. It also records the malware installation timestamp. Permission_Activity launched permission requests and later called AutoStartService, the malware’s main handler, and login_kotak.

SMS campaign attack flow

This malware’s continuing evolution highlights the need to protect mobile devices. Its wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user’s other banking apps. Its ability to intercept one-time passwords (OTPs) sent over SMS thwarts the protections provided by banks’ two-factor authentication mechanisms, which users and institutions rely on to keep their transactions safe.

Microsoft 365 Defender Research Team

To mitigate the threat, Android device users should disable the Unknown Sources option to prevent app installation from unverified sources. And they must rely on credible mobile security solutions to detect malicious apps.

  1. SpyNote Trojan (RAT); Yet Another Bad News for Android Users
  2. BRATA Android malware factory resets phones after stealing funds
  3. New MaliBot Android Malware Found Stealing Personal, Banking Data
  4. Fake Netflix, WhatsApp, Facebook Android Apps Contain SpyNote RAT
  5. New Russian Android Malware Tracks GPS Location and Spies on Victims
Related Posts