Android smartphone users in India are the target of a new malware campaign that employs social engineering lures to install fraudulent apps that are capable of harvesting sensitive data.
“Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities,” Microsoft threat intelligence researchers Abhishek Pustakala, Harshita Tripathi, and Shivang Desai said in a Monday analysis.
The ultimate goal of the operation is to capture banking details, payment card information, account credentials, and other personal data.
The attack chains involve sharing malicious APK files via social media messages sent on WhatsApp and Telegram by falsely presenting them as banking apps and inducing a sense of urgency by claiming that the targets’ bank accounts will be blocked unless they update their permanent account number (PAN) issued by the Indian Income Tax Department through the bogus app.
Upon installation, the app urges the victim to enter their bank account information, debit card PIN, PAN card numbers, and online banking credentials, which are subsequently transmitted to an actor-controlled command-and-control (C2) server and a hard-coded phone number.
“Once all the requested details are submitted, a suspicious note appears stating that the details are being verified to update KYC,” the researchers said.
“The user is instructed to wait 30 minutes and not to delete or uninstall the app. Additionally, the app has the functionality to hide its icon, causing it to disappear from the user’s device home screen while still running in the background.”
Another notable aspect of the malware is that it requests the user to grant it permission to read and send SMS messages, thereby enabling it to intercept one-time passwords (OTPs) and send the victims’ messages to the threat actor’s phone number via SMS.
Variants of the banking trojan discovered by Microsoft have also been found to steal credit card details along with personally identifiable information (PII) and incoming SMS messages, exposing unsuspecting users to financial fraud.
However, it’s worth noting that for these attacks to be successful, users will have to enable the option to install apps from unknown sources outside of the Google Play Store.
“Mobile banking trojan infections can pose significant risks to users’ personal information, privacy, device integrity, and financial security,” the researchers said. “These threats can often disguise themselves as legitimate apps and deploy social engineering tactics to achieve their goals and steal users’ sensitive data and financial assets.”
The development comes as the Android ecosystem has also come under attack from the SpyNote trojan, which has targeted Roblox users under the guise of a mod to siphon sensitive information.
In another instance, fake adult websites are being used as lures to entice users into downloading an Android malware called Enchant that specifically focuses on pilfering data from cryptocurrency wallets.
“Enchant malware uses the accessibility service feature to target specific cryptocurrency wallets, including imToken, OKX, Bitpie Wallet, and TokenPocket wallet,” Cyble said in a recent report.
“Its primary objective is to steal critical information such as wallet addresses, mnemonic phrases, wallet asset details, wallet passwords, and private keys from compromised devices.”
Last month, Doctor Web uncovered several malicious apps on the Google Play Store that displayed intrusive ads (HiddenAds), subscribed users to premium services without their knowledge or consent (Joker), and promoted investment scams by masquerading as trading software (FakeApp).
The onslaught of Android malware has prompted Google to announce new security features such as real-time code-level scanning for apps that have not been previously scanned before. It also launched restricted settings with Android 13 that prohibits apps from obtaining access to critical device settings (e.g., accessibility) unless it’s explicitly enabled by the user.
It’s not just Google. Samsung, in late October 2023, unveiled a new Auto Blocker option for Galaxy devices that prevents app installations from sources other than Google Play Store and Galaxy Store, and blocks harmful commands and software installations through the USB port.
To avoid downloading malicious software from Google Play and other trusted sources, users are advised to check the legitimacy of the app developers, scrutinize reviews, and vet the permissions requested by the apps.
Following the publication of the story, a Google spokesperson shared the following statement with The Hacker News –
Users are protected by Google Play Protect, which is enabled by default and warns users or blocks apps known to exhibit malicious behavior on Android devices with Google Play Services, even when those apps come from sources outside of Play. Google implemented protections for TrojanSpy:AndroidOS/SpyBanker.Y in December 2022 and for Trojan:AndroidOS/Banker.U in September 2023.