A series of fake banking apps are making the rounds in India, mimicking trusted institutions to steal credentials and, ultimately, money.
The scale of the campaign is impressive, featuring nearly 900 different malware samples tied to around 1,000 different phone numbers used to perpetrate the fraud. Researchers from Zimperium observed all those malware couched in apps that mimic billion-dollar financial institutions, designed to target regular people across India.
Banking Fraud in East India
Across India, regular people have been receiving WhatsApp messages carrying malicious Android Package Kit (APK) files. Once downloaded, these APKs open into fake apps mimicking one of more than a dozen banks, including most of the largest in India: HDFC Bank, ICICI Bank, the State Bank of India (SBL), and others.
Source: Zimperium
The apps ask victims to submit their most sensitive financial information, including their mobile banking credentials, credit and debit card numbers, ATM PINs, Permanent Account Number (PAN) Card — used for various financial and government purposes, like paying taxes or opening a bank account — and Aadhar Card, and equivalent to a Social Security number (SSN).
To allow the attackers to log into victims’ bank accounts, the malware intercepts one-time passwords sent via SMS, and redirects them either to an attacker-controlled phone number, or a command-and-control (C2) server running on Firebase.
The malware also sports stealth and anti-analysis measures, like “packing,” where the malware is compressed, encrypted, and obfuscated to the point of illegibility. It can install itself invisibly by taking advantage of accessibility services, and obtain all conceivable permissions on users’ devices by simply prodding a user to thoughtlessly hit “Allow” when it asks nicely.
“Since you don’t see the app, it’s not easy to uninstall it,” explains Nico Chiaraviglio, chief scientist at Zimperium. “And then you [have to deal with the] higher permissions. So if you want to uninstall the app, the device will say you cannot install it because it’s a system app. You basically need to connect the phone to a computer and uninstall it using the Android Debug Bridge (ADB). It’s not something that you can do from a regular user’s standpoint.”
Why Fraud Works in India
Phone numbers tied to the campaign lovingly named “FatBoyPanel” have tended to concentrate in eastern states: West Bengal (30.2%), Bihar (22.6%), Jharkjand (10%).
That FatBoyPanel seems to be going so well, Chiaraviglio thinks, comes down to a couple of obvious factors. First: older, outdated phones are common in East India, and, “If you want to run some sort of exploit, it’s easier to do on older devices,” he says.
“It’s also widely known that there are a lot of scammers in India,” he adds. In this campaign, “They are targeting some specific apps, and this basically tells you that the attackers are Indians, and that they know the market that they are working in.”
One thing surprised him, he says: “We publish a report every year on banking Trojans, and we see most of them targeting many different countries at the same time. It’s very uncommon that we see a campaign that is only targeting one country.”
Source link
#Basket #Bank #Trojans #Defraud #Citizens #East #India
