A New Android Banking Trojan Masquerades as Utility and Banking Apps in India

Authored by Dexter Shin

Through the years, cyber threats concentrating on Android units have turn into extra refined and protracted. Lately, McAfee Cellular Analysis Crew found a brand new Android banking trojan concentrating on Indian customers. This malware disguises itself as important companies, akin to utility (e.g., fuel or electrical energy) or banking apps, to get delicate data from customers. These kind of companies are very important for day by day life, making it simpler to lure customers. We’ve got beforehand noticed malware that masquerades as utility companies in Japan. As seen in such instances, utility-related messages, akin to warnings that fuel service will disconnect quickly until the invoice is checked, could cause vital alarm and immediate quick motion from the customers.

We’ve got recognized that this malware has contaminated 419 units, intercepted 4,918 SMS messages, and stolen 623 entries of card or bank-related private data. Given the lively malware campaigns, these numbers are anticipated to rise. McAfee Cellular Safety already detects this risk as Android/Banker. For extra data, go to McAfee Cellular Safety

Phishing by way of messaging platforms like WhatsApp

As of 2024, India is the nation with the very best variety of month-to-month lively WhatsApp customers. This makes it a main goal for phishing assaults. We’ve beforehand launched one other Banker distributed by way of WhatsApp. Equally, we suspect that the pattern we lately discovered additionally makes use of messaging platforms to succeed in particular person customers and trick them into putting in a malicious APK. If a consumer installs this APK, it’ll permit attackers to steal the sufferer’s monetary information, thereby undertaking their malicious purpose.

Determine 1. Scammer messages reaching customers by way of Whatsapp (supply: reddit)

Contained in the malware

The malware we first recognized was pretending to be an app that allowed customers to pay their fuel payments. It used the brand of PayRup, a digital fee platform for public service charges in India, to make it look extra reliable to customers.

Determine 2. Malware disguised as fuel payments digital fee app

As soon as the app is launched and the permissions, that are designed to steal private information akin to SMS messages, are granted, it asks the consumer for monetary data, akin to card particulars or checking account data. Since this malware pretends to be an app for paying payments, customers are more likely to enter this data to finish their funds. On the financial institution web page, you may see main Indian banks like SBI and Axis Financial institution listed as choices.

Determine 3. Malware that requires monetary information

If the consumer inputs their monetary data and tries to make a fee, the information is shipped to the command and management (C2) server. In the meantime, the app shows a fee failure message to the consumer.

Determine 4. Fee failure message displayed however information despatched to C2 server

One factor to notice about this app is that it might probably’t be launched instantly by the consumer by way of the launcher. For an Android app to seem within the launcher, it must have “android.intent.class.LAUNCHER” outlined inside an within the AndroidManifest.xml. Nonetheless, since this app doesn’t have that attribute, its icon doesn’t seem. Consequently, after being put in and launched from a phishing message, customers might not instantly notice the app remains to be put in on their gadget, even when they shut it after seeing messages like “Financial institution Server is Down”, successfully maintaining it hidden.

Determine 5. AndroidManifest.xml for the pattern

Exploiting Supabase for information exfiltration

In earlier experiences, we’ve launched varied C2 servers utilized by malware. Nonetheless, this malware stands out resulting from its distinctive use of Supabase, an open-source database service. Supabase is an open-source backend-as-a-service, much like Firebase, that gives PostgreSQL-based database, authentication, real-time options, and storage. It helps builders rapidly construct functions with out managing backend infrastructure. Additionally, it helps RESTful APIs to handle their database. This malware exploits these APIs to retailer stolen information.

Determine 6. App code utilizing Supabase

A JWT (JSON Net Token) is required to make the most of Supabase by way of its RESTful APIs. Curiously, the JWT token is uncovered in plain textual content throughout the malware’s code. This supplied us with a singular alternative to additional examine the extent of the information breach. By leveraging this token, we have been capable of entry the Supabase occasion utilized by the malware and acquire priceless insights into the dimensions and nature of the information exfiltration.

Determine 7. JWT token uncovered in plaintext

Throughout our investigation, we found a complete of 5,558 data saved within the database. The primary of those data was dated October 9, 2024. As beforehand talked about, these data embody 4,918 SMS messages and 623 entries of card data (quantity, expiration date, CVV) and financial institution data (account numbers, login credentials like ID and password).

Determine 8. Examples of stolen information

Uncovering variants by bundle prefix

The preliminary pattern we discovered had the bundle identify “gs_5.buyer”. By means of investigation of their database, we recognized 8 distinctive bundle prefixes. These prefixes present crucial clues concerning the potential rip-off themes related to every bundle. By analyzing the bundle names, we are able to infer particular traits and sure focus areas of the assorted rip-off operations.

Primarily based on the bundle names, it appears that evidently as soon as a rip-off theme is chosen, no less than 2 totally different variants are developed inside that theme. This variability not solely complicates detection efforts but additionally will increase the potential attain and influence of their rip-off campaigns.

Cellular app administration of C2

Primarily based on the data uncovered up to now, we discovered that the malware actor has developed and is actively utilizing an app to handle the C2 infrastructure instantly from a tool. This app can ship instructions to ahead SMS messages from the sufferer’s lively telephones to specified numbers. This functionality differentiates it from earlier malware, which generally manages C2 servers by way of net interfaces. The app shops varied configuration settings by way of Firebase. Notably, it makes use of Firebase “Realtime Database” quite than Firestore, seemingly resulting from its simplicity for fundamental information retrieval and storage.

Determine 9. C2 administration cell software

Conclusion

Primarily based on our analysis, we now have confirmed that 419 distinctive units have already been contaminated. Nonetheless, contemplating the continuous improvement and distribution of latest variants, we anticipate that this quantity will steadily enhance. This development underscores the persistent and evolving nature of this risk, emphasizing the necessity for cautious commentary and versatile safety methods.

As talked about originally of the report, many scams originate from messaging platforms like WhatsApp. Due to this fact, it’s essential to stay cautious when receiving messages from unknown or unsure sources. Moreover, given the clear emergence of varied variants, we advocate utilizing safety software program that may rapidly reply to new threats. Moreover, by using McAfee Cellular Safety, you may bolster your protection towards such refined threats.

Indicators of Compromise (IOCs)

APKs:

Domains:

• https[://]luyagyrvyytczgjxwhuv.supabase.co

Firebase:

• https[://]call-forwarder-1-default-rtdb.firebaseio.com

Introducing McAfee+

Identification theft safety and privateness on your digital life

Obtain McAfee+ Now