Malicious Apps Disguised as Banks and Government Agencies Target Android Users in India

Android Users in India

Android smartphone users in India are the target of a new malware campaign that uses social engineering lures to install rogue apps capable of harvesting sensitive data.

“Using social media platforms such as WhatsApp and Telegram, attackers send messages designed to trick users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities,” Microsoft threat intelligence researchers Abhishek Pustakala, Harshita Tripathi, and Shivang Desai SAYS in an analysis on Monday.

The ultimate goal of the operation is to obtain banking details, payment card information, account credentials, and other personal data.

Attack chains include sharing malicious APK files through social media messages sent on WhatsApp and Telegram by falsely presenting them as banking apps and inducing a sense of urgency through on the claim that the bank accounts of the targets will be blocked unless they update their permanent account number (PAN). ) issued by the Indian Income Tax Department through mini app.

Upon installation, the app prompts the victim to enter their bank account information, debit card PIN, PAN card numbers, and online banking credentials, which will be forwarded to the command-and-control actor. control (C2) server and a hard-coded phone number.


“When all the requested details are submitted, a suspicious note appears stating that the details are verified to update KYC,” the researchers said.

“The user is instructed to wait 30 minutes and not delete or uninstall the app. Additionally, the app has a function to hide its icon, causing it to disappear from the home screen of the user’s device while still running in the background.”

Another noteworthy aspect of the malware is that it asks the user to give it permission to read and send SMS messages, thus enabling it to intercept one-time passwords (OTPs) and send messages to victim to the actor’s phone number via SMS.

Variants of the banking trojan discovered by Microsoft have also been found to steal credit card details along with personally identifiable information (PII) and incoming SMS messages, exposing unsuspecting users. of financial fraud.

However, it is worth noting that for these attacks to be successful, users must be given the option to install apps from unknown sources outside of the Google Play Store.

Android Users in India

“Mobile banking trojan infections can pose significant risks to personal information, privacy, device integrity, and financial security,” the researchers said. “These threats often disguise themselves as legitimate apps and deploy social engineering tactics to achieve their goals and steal users’ sensitive data and financial assets.”

The development comes as the Android ecosystem is also under attack from the SpyNote trojan, which has targeting Roblox users under the guise of a mod to absorb sensitive information.

In another instance, fake adult websites were used as baits to lure users into downloading Android malware called Enchant that specifically focuses on extorting data from cryptocurrency wallets.

“The Enchant malware uses the accessibility service feature to target specific cryptocurrency wallets, including imToken, OKX, Bitpie Wallet, and TokenPocket wallets,” Cyble SAYS in a recent report.

“Its main purpose is to steal critical information such as wallet addresses, mnemonic words, wallet asset details, wallet passwords, and private keys from compromised devices.”


Last month, Doctor Web no cover several malicious apps in the Google Play Store that display intrusive ads (HiddenAds), subscribe users to premium services without their knowledge or consent (Joker), and promote scams investment by masquerading as trading software (FakeApp).

Android malware attack prompts Google to issue new security features like real-time code-level scanning for newly found apps. It was also launched restricted settings with Android 13 prohibiting apps from gaining access to critical device settings (for example, accessibility) unless it is explicitly enabled by the user.

It’s not just Google. Samsung, in late October 2023, revealed a new Auto Blocker option that prevents app installations from sources other than the Google Play Store and Galaxy Store, and blocks harmful commands and software installations through the USB port.

To avoid downloading malicious software from Google Play and other trusted sources, users are advised to check the legitimacy of app developers, check reviews, and check permissions requested by apps .

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment