Fake Indian Banking Apps on Android Steal Login Credentials from Users

A malicious Android application has been uncovered, impersonating legitimate Indian banking apps to orchestrate credential theft, surveillance, and unauthorized financial transactions.

This malware employs a modular architecture featuring a dropper and a primary payload, leveraging deceptive user interfaces, silent installation techniques, and extensive abuse of Android permissions to evade detection and ensure persistence.

In-Depth Malware Analysis

Operating through Firebase for command-and-control (C2) operations, it deploys phishing pages that mimic authentic banking interfaces, tricking users into divulging sensitive data.

Static analysis of the dropper reveals permissions such as ACCESS_NETWORK_STATE for monitoring connectivity to facilitate stealthy data exfiltration, REQUEST_INSTALL_PACKAGES for prompting installations of secondary APKs without user awareness, and QUERY_ALL_PACKAGES for profiling installed apps to target banking software specifically.

The dropper loads a hidden payload from its assets folder, writes it to external storage via FileProvider, and initiates installation using an INSTALL_NOW flag, bypassing app store scrutiny and ...