Shielding Against Android Phishing in Indian Banking

Authored by Neil Tyagi and Fernando Ruiz

In a digitally evolving world, the convenience of banking through mobile applications has revolutionized financial transactions. However, this advancement has also opened doors to a lesser-known adversary: Android phishing. Join us as we delve into the clandestine realm of cyber threats targeting India’s banking sector.

This blog uncovers the nuances of an Android phishing/banking trojan application identified as Android/Banker.AFX which illustrates a common procedure from cybercriminals designed to drain the bank accounts of their victims:

First, it broadcasts phishing messages via WhatsApp and lures users to install an app that carries malicious code hidden as a verification tool. Once installed, the banking trojan can collect personal and financial information and intercept SMS messages with the objective of stealing one-time passwords or verification codes that are required to complete transactions which may lead to stealing the banking account assets.

This trojan is just a variant and example of multiple banking trojan implementations recently observed in the wild that carry similar risks, which is not technically sophisticated but might be very effective and prevalent especially when it’s widely distributed on social media. McAfee Mobile Security protects broadly and generically against this type of banking trojans.

This blog explores the insidious tactics, alarming trends, and preventive measures against the rising tide of phishing attacks plaguing Android users in India’s financial landscape.

Distribution Method: Messaging platforms

The initial lure is an alarming WhatsApp message prompting the user to download an Android Package (APK) to complete a mandatory verification procedure carried out by financial institutions known as Know Your Customer (KYC) else the account would be blocked.

A sense of urgency is created for the user by warning him that the account will be blocked if he doesn’t install the APK and provide the necessary information to complete the KYC form.

These seemingly innocent prompts, meticulously crafted by cybercriminals, possess a cunning sophistication that mirrors the legitimate communication channels of banking institutions. They prey upon human curiosity, fear, and desire, tricking users into taking immediate actions that, at first glance, seem innocuous but have far-reaching consequences.

Installation and execution

Since the app installer is triggered by Whatsapp, the installation by default should be blocked by Android unless the user previously allowed the installation of unknown apps from this source.

A warning is displayed after taping on the APK icon:

However, if users ignore the warning, they may deactivate this important security feature with just two clicks:

Now Android OS warns about the risk of allowing the installation of unknown apps from WhatsApp. However, many users allow this option, which poses a high risk of infection.

Once the Trojan is installed, the victims will get the financial institution icon on their Android app list:

After installation, it abuses the icon of SBI to confuse the user.

Opening for the first time, it asks for SMS-related permissions.

The application’s landing page is similar to the net banking page of Real SBI. This phishing site is locally loaded from the malware into a WebView.

The application asks for the user’s username, password, and phone number.

The Captcha used here is static. It does not change ever because all content is hardcoded locally.

As part of the KYC validation lure process, the malware collects sensitive user information such as:

  • Full Name, Date of Birth
  • Account, CIF, PAN, and Aadhar Numbers
  • Credit card information

After the victim inputs all the information, they are presented with a fake KYC validation code, which makes it look like a genuine procedure and the user might not be suspicious about the app or the process.

Additionally, this banking trojan intercepts SMS messages and abuses Firebase to communicate with attackers. During the analysis the malware transmitted all collected information including credit card information to:

wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb

According to the static analysis, any received SMS message would also be exfiltrated to the attackers’ servers via the opened socket communication since the app has granted SMS reading permissions at the first execution. This is implemented to extract any OTP required to complete transactions of the victim.

Exfiltrated credit card information from the local static site loaded by the malware abuses the  Cordova framework. Credit card information, along with all collected information, is transmitted to the attackers using Firebase, a legitimate service that’s also abused by criminals.

Static Analysis

  • This malware requires common permissions however it’s important to highlight that RECEIVE_SMS is a very dangerous permissions that should only be granted to apps that are related to messaging that you trust. If apps installed from third-party sources require it, it’s a red flag:
    • INTERNET
    • REQUEST_INSTALL_PACKAGES
    • RECEIVE_SMS
    • ACCESS_NETWORK_STATE
  • Information collected by the phishing site:
    • username
    • password
    • phone number
    • date of birth
    • account number
    • CIF number
    • pan number
    • debit card number
    • CVV number
    • atm pin
  • The main package goes by the name of hello.uwer.hello.hello.google.is.the.best, which contains the MainActivity for APK: The First oncreate function prompts for SMS read permission from the user, and when the user gives the permission, the user is greeted with the message “thank you -Team SBI” or “We can’t verify until you allow -Team Bank”

    • The read message permission is required to monitor any incoming messages, preferably OTPs, so those can be forwarded to the attacker to gain access to the account, bypassing any OTP-based 2-factor authentications.
    • All incoming messages are saved to the database and later forwarded to the attacker.

 

    • The Firebase configuration is stored in the APK along with the API key.

 

    • Debit/credit card information is being submitted using Firebase.

 

  • The user’s Aadhar number, CIF (customer information file), and user information are collected and submitted to Firebase.

Telemetry And Safety by Mcafee

  • McAfee Mobile Security proactively protects against this threat as Android/Banker.AXF!ML.
  • McAfee has prevented over 360 device infections of Android/Banker.AXF!ML in the last 30 days. India underscores the acute threat posed by this banking malware within the country’s digital landscape, with a few hits found elsewhere in the world, possibly from Indian SBI users Living in Other Countries.

Android/Banker.AXF!ML infections around the world: India is the target.

  • The proactive stance taken by McAfee against Android/Banker.AXF!ML underscores its commitment to shielding users from the ever-evolving landscape of Android-based phishing and banking threats, emphasizing the importance of robust cybersecurity measures in safeguarding the integrity of personal financial data.

Conclusion

Banking trojans are not new or sophisticated but they are a persistent threat due to the lucrative business that poses for malware authors which can lure many victims who are unaware of the risk of phishing. As these campaigns can be massive even if a small percentage of targeted victims fall the criminals can have a large loot.

Cybercriminals are constantly improving their social engineering tricks to lure users into phishing and malware. The first line of defense against these threats is the user’s awareness. We recommend:

  • Avoid installing apps from third-party sources, especially apps received by messaging apps.
    • Do not activate “install unknown apps” option on social media apps.
  • Do not trust or click on messages received from untrusted sources on social media.
  • For banking apps stick to the official website and official app stores
  • If possible, use a reliable antivirus solution such as McAfee Mobile Security which generically protects against these types of threats.

McAfee Antivirus emerges as a formidable ally in the battle against Android phishing within India’s banking sector. With its robust suite of security features tailored for mobile devices, McAfee stands as a bulwark, providing critical defense mechanisms against the ever-mutating landscape of cyber threats.

Indicators of Compromise

Hash Package
7cfc6360e69d22b09a28c940caf628959d11176e27b8a03e15b020b369569415 hello.uwer.hello.hello.google.is.the.best
b067f5903e23288842ad056d4b31299b3b30052abe69bee236136b2b9fcab6a8 hello.uwer.hello.hello.google.is.the.best
e2e097ef433be75dcab830baa4b08feb4a24267c46b568fd4aef00dbb081ed8f hello.uwer.hello.hello.google.is.the.best
9f046f769760d52a97680a91fd511f1e86c428b9eec27d7eb486b7b4d0666f0b hello.uwer.hello.hello.google.is.the.best
1c69b0a69ed1631a1f1b54627a9b5dac3b214a275280de36d05ee75021cbfb04 hello.uwer.hello.hello.google.is.the.best
495ab4efd3d1ec9bfc2d08d80df316aad20dc76e625374627fabea06f5151584 hello.uwer.hello.hello.google.is.the.best
6190144b56e06af8aeeeba2104a665a555d01f6ec2a22ba78212d943ac2b258d hello.uwer.hello.hello.google.is.the.best
6c6ea9fbeae967fb53ab9984edda9b754fb6d3f85b4ff5b14e1fd33399362ba4 hello.uwer.hello.hello.google.is.the.best

 

Abused Firebase host : Wss[:]//s-usc1a-nss-2003.firebaseio.com/.ws?v=5&ns=zero-a4c52-default-rtdb

 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS

More from McAfee Labs

Back to top