A new version of Android malware has been discovered that is being distributed through an SMS campaign in India. This malware is disguised as a banking rewards program and steals sensitive user information by posing as a remote access trojan. The malware is able to intercept all incoming SMS messages, including two-factor authentication messages used by financial institutions, which can be used to access even more private information. This highlights the evolving nature of mobile threats and the need for users to be vigilant and cautious when clicking on unknown links.
The Attack Flow
Our investigation into the latest Android malware that steals user information through a reward points scam began when we received an SMS message with a malicious link. Upon clicking the link, we downloaded a fake banking rewards app that was disguised as a legitimate app. This malware, known as TrojanSpy:AndroidOS/Banker.O, had a different bank name and logo than other similar malware we encountered in 2021. Further research uncovered that the malware’s command and control server was linked to 75 other malicious APKs. Some of these APKs even shared the same logo as the fake app, suggesting that the attackers are constantly creating new versions to sustain their campaign.
This article highlights our investigation into the latest iteration of Android malware that targets customers of Indian banks through a rewards scam. The malware is spread through SMS messages containing a link to a fake banking rewards app. Our examination focused on one such app named “ICICI Rewards” which has the package name “com.example.test app.”
We advise consumers not to click on links from unknown sources, and to only download apps from official app stores. It is also recommended to consult with your bank about their digital security solutions. The SMS campaign attempts to lure users with the claim of a reward from a reputable Indian bank.
The malicious app, disguised as a legitimate banking rewards program, begins when the user clicks on a link received through an SMS message. After being downloaded, the app presents a splash screen featuring the logo of a well-known Indian bank, in this case ICICI, to trick the user into granting necessary permissions.
However, the app then requests sensitive information such as credit card details, which is unusual for a rewards program. This should raise red flags for the user and prompt them to question the app’s true motives.
Despite this suspicious behavior, the malware tries to further deceive the user by presenting a second fake screen with additional instructions.
To prevent the spread of this new Android spyware, it’s essential for consumers to be cautious when installing apps and clicking on links from unknown sources. This spyware operates through an ongoing SMS campaign and poses as a banking rewards program from Indian banks, tricking users into downloading a malicious app. Once installed, it requests sensitive information such as credit card details and has the ability to intercept one-time passwords (OTPs) supplied over SMS.
The malware’s main function is initiated under the name com.example.test app.MainActivity. It acts as the first activity launched after installation, displaying a fake ICICI splash screen. The MainActivity then triggers the Permission Activity to start requesting permissions, and the OnCreate() method to check the device’s internet connection and record the time of the malware’s installation. Once permissions are granted, the Permission Activity triggers the AutoStartService and the class login Kotak.
The login Kotak class is responsible for stealing the user’s credit card information. It displays a fake credit card input screen while it waits for commands from the attacker and temporarily stores the stolen information in the device.
The continuously evolving nature of this malware highlights the significance of protecting mobile devices. Its ability to intercept one-time passwords sent via SMS undermines the security provided by banks’ two-factor authentication procedures, leaving users vulnerable to theft from other banking apps. The use of logos from various banks and financial institutions may also attract future targets.
Android’s open nature makes it easy for attackers to install malicious software. To prevent this, it is important to be cautious when installing apps and clicking on links in messages. It is recommended to only download and install software from official app stores and to keep the option to install apps from unknown sources disabled on Android devices.