{"id":132442,"date":"2023-11-20T20:30:00","date_gmt":"2023-11-21T04:30:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=132442"},"modified":"2024-07-03T12:08:52","modified_gmt":"2024-07-03T19:08:52","slug":"social-engineering-attacks-lure-indian-users-to-install-android-banking-trojans","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/11\/20\/social-engineering-attacks-lure-indian-users-to-install-android-banking-trojans\/","title":{"rendered":"Social engineering attacks lure Indian users to install Android banking trojans"},"content":{"rendered":"\n

Microsoft has observed ongoing activity from mobile banking trojan campaigns targeting users in India with social media messages designed to steal users\u2019 information for financial fraud. Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations, such as banks, government services, and utilities. Once installed, these fraudulent apps exfiltrate various types of sensitive information from users, which can include personal information, banking details, payment card information, account credentials, and more.<\/p>\n\n\n\n

While not a new threat, mobile malware infections pose a significant threat to mobile users, such as unauthorized access to personal information, financial loss due to fraudulent transactions, loss of privacy, device performance issues due to malware consuming system resources, and data theft or corruption. In the past, we observed similar banking trojan campaigns sending malicious links leading users to download malicious apps, as detailed in our blog Rewards plus: Fake mobile banking rewards apps lure users to install info-stealing RAT on Android devices<\/a>.<\/p>\n\n\n\n

The current active campaigns have pivoted to sharing malicious APK files directly to mobile users located in India. Our investigation focused on two malicious applications that falsely present themselves as official banking apps. Spoofing and impersonating legitimate banks, financial institutions, and other official services is a common social engineering tactic for information-stealing malware. Importantly, legitimate banks themselves are not affected by these attacks directly, and the existence of these attacks is not related to legitimate banks\u2019 own authentic mobile banking apps and security posture. That said, cybercriminals often target customers of large financial institutions by masquerading as a legitimate entity. This threat highlights the need for customers to install applications only from official app stores, and to be wary of false lures as we see in these instances.<\/p>\n\n\n\n

In this blog, we shed light on the ongoing mobile banking trojan campaigns impacting various sectors by analyzing the attacks of two fraudulent apps targeting Indian banking customers. We also detail some of the additional capabilities of malicious apps observed in similar campaigns and provide recommendations and detections to defend against such threats. As our mobile threat research continuously monitors malware campaigns in the effort to combat attackers\u2019 tactics, tools, and procedures (TTPs), we notified the organizations being impersonated by these fake app campaigns. Microsoft is also reporting on this activity to bring increased awareness to the threat landscape as mobile banking trojans and credential phishing fraud continues to persist, prompting an urgent call for robust and proactive defense strategies.<\/p>\n\n\n\n

Case 1: Fake banking app targeting account information<\/h2>\n\n\n\n

We discovered a recent WhatsApp phishing campaign through our telemetry that led to banking trojan activity. In this campaign, the attacker shares a malicious APK file through WhatsApp with a message asking users to enter sensitive information in the app. The widely circulated fake banking message states \u201cYour [redacted]<\/strong> BANK Account will be Blocked Today please update your PANCARD immediately open [redacted]<\/strong>-Bank.apk for update your PANCARD. Thank You.\u201d and includes a APK file named [redacted]<\/strong>-BANK[.]apk. <\/em><\/p>\n\n\n\n

\"Screenshot
Figure 1. A fake WhatsApp message sent to user to update KYC using shared APK file.<\/em><\/figcaption><\/figure>\n\n\n\n

Upon investigation, we discovered that the APK file was malicious and interacting with it installs a fraudulent application on the victim device. The installed app impersonates a legitimate bank located in India and disguises itself as the bank\u2019s official Know Your Customer (KYC) application to trick users into submitting their sensitive information, despite this particular banking organization not being affiliated with an official KYC-related app. This information is then sent to a command and control (C2) server, as well as to the attacker’s hard-coded phone number used in SMS functionality.<\/p>\n\n\n

\"Diagram
Figure 2. The attack flow of this campaign.<\/em><\/figcaption><\/figure>\n\n\n\n

What users see<\/h3>\n\n\n\n

Upon installation, the fake app displays a bank icon posing as a legitimate bank app. Note that the app we analyzed is not an official bank app from the Google Play Store, but a fake app that we\u2019ve observed being distributed through social media platforms.  <\/p>\n\n\n\n

The initial screen then proceeds to ask the user to enable SMS-based permissions. Once the user allows the requested permissions, the fake app displays the message \u201cWelcome to [redacted]<\/strong> <\/strong>Bank fast & Secure Online KYC App\u201d and requests users to signin to internet banking by entering their mobile number, ATM pin, and PAN card details.<\/p>\n\n\n

\"Four
Figure 3. Once installed on a device, the fake app asks users to allow SMS permissions and to sign-in to internet banking and submit their mobile number, ATM pin, and PAN card to update KYC. <\/em><\/figcaption><\/figure>\n\n\n\n

After clicking the sign-in button, the app displays a verification prompt asking the user to enter the digits on the back of their banking debit card in grid format for authentication\u2014a common security feature used as a form of multifactor authentication (MFA), where banks provide debit cards with 2-digit numbers in the form of a grid on the back of the card. Once the user clicks the authenticate button, the app claims to verify the shared details but fails to retrieve data, instead moving on to the next screen requesting additional user information. This can trick the user into believing that the process is legitimate, while remaining unaware of the malicious activity launching in the background.<\/p>\n\n\n

\"Four
Figure 4. The fake app’s authentication process asks the user to enter the correct digits as presented on their debit card.<\/em><\/figcaption><\/figure>\n\n\n\n

Next, the user is asked to enter their account number followed by their account credentials. Once all the requested details are submitted, a suspicious note appears stating that the details are being verified to update KYC. The user is instructed to wait 30 minutes and not to delete or uninstall the app. Additionally, the app has the functionality to hide its icon, causing it to disappear from the user’s device home screen while still running in the background.<\/p>\n\n\n

\"Four
Figure 5. The fraudulent app steals the user’s account number and credentials and hides its icon from the home screen.<\/em><\/figcaption><\/figure>\n\n\n\n

Technical analysis<\/h3>\n\n\n\n

To start our investigation and as part of our proactive research, we located and analyzed the following sample:<\/p>\n\n\n\n

SHA-256<\/strong><\/td>6812a82edcb49131a990acd88ed5f6d73da9f536b60ee751184f27265ea769ee<\/em> <\/td><\/tr>
Package name<\/strong><\/td>djhgsfjhfdgf[.]gjhdgsfsjde[.]myappl876786ication<\/em><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

We first examined the app\u2019s AndroidManifest<\/em> file, which lists the permissions and components (such as activities, services, receivers, and providers) that can run in the background without requiring user interaction. We discovered that the malware requests two runtime permissions (also known as dangerous permissions)<\/a> from users: <\/p>\n\n\n\n

Permissions <\/strong><\/td>Description <\/strong><\/td><\/tr>
Receive_SMS<\/em><\/strong> <\/strong><\/td>Intercept SMSs received on the victim\u2019s device <\/td><\/tr>
Send_SMS<\/em><\/strong> <\/strong><\/td>Allows an application to send SMS <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The below image displays the requested Receive_SMS<\/em> and Send_SMS<\/em> permissions, the activities, receivers, and providers used in the application, and the launcher activity, which loads the application\u2019s first screen. <\/p>\n\n\n

\"Screenshot
Figure 6. AndroidManifest.xml file<\/em><\/figcaption><\/figure>\n\n\n\n

Source code review<\/h3>\n\n\n\n

Main activity<\/h4>\n\n\n\n

The main activity, djhgsfjhfdgf[.]gjhdgsfsjde[.]myappl876786ication[.]M1a2i3n4A5c6t7i8v9i0t0y987654321<\/em>, executes once the app is launched and shows as the first screen of the application. The OnCreate()<\/em> method of this class requests permissions for Send_SMS<\/em> and Receive_SMS<\/em> and displays a form to complete the KYC application with text fields for a user\u2019s mobile number, ATM pin, and PAN card. Once the user\u2019s details are entered successfully, the collected data is added to a JSON object and sent to the attacker\u2019s C2 at: https:\/\/biogenetic-flake.000webhostapp[.]com\/add.php<\/em><\/p>\n\n\n\n

The app displays a note saying \u201cData added successfully\u201d. If the details are not entered successfully, the form fields will be empty, and an error note will be displayed.<\/p>\n\n\n

\"Screenshot
Figure 7. Launcher activity page, asking the user to sign-in with their mobile number, ATM pin, and PAN card.  <\/em><\/figcaption><\/figure>\n\n\n\n

Additionally, the malware collects data and sends it to the attacker’s phone number specified in the code using SMS. <\/p>\n\n\n

\"Screenshot
Figure 8. Collected data sent to the attacker’s mobile number as a SMS. <\/em><\/figcaption><\/figure>\n\n\n\n

Stealing SMS messages and account information<\/h4>\n\n\n\n

The malware collects incoming SMS messages from the victim\u2019s device using the newly granted Receive_SMS<\/em> permission. These incoming messages may contain one-time passwords (OTPs) that can be used to bypass MFA and steal money from the victim’s bank account. Using the Send_SMS<\/em> permission, the victim\u2019s messages are then sent to the attacker\u2019s C2 server (https[:]\/\/biogenetic-flake[.]000webhostapp[.]com\/save_sms[.]php?phone=<\/em>) and to the attacker\u2019s hardcoded phone number via SMS.<\/p>\n\n\n

\"Screenshot
Figure 9. Steals incoming SMS to send to the attacker’s C2 and mobile number via SMS.<\/em><\/figcaption><\/figure>\n\n\n\n

The user\u2019s bank account information is also targeted for exfiltration\u2014once the user submits their requested account number and account credentials, the malware collects the data and similarly sends it to the attacker\u2019s C2 server and hard-coded phone number. <\/p>\n\n\n

\"Screenshot
Figure 10. Collecting the user’s account number to send to the attacker.<\/em><\/figcaption><\/figure>\n\n\n
\"Screenshot
Figure 11. Collecting the user’s account credentials to send to the attacker. <\/em><\/figcaption><\/figure>\n\n\n\n

Hiding app icon<\/h4>\n\n\n\n

Finally, the app has the functionality to hide its icon from the home screen and run in the background. <\/p>\n\n\n

\"Screenshot
Figure 12. Hides app icon from home screen <\/em><\/figcaption><\/figure>\n\n\n\n

Case 2: Fake banking app targeting payment card details<\/h2>\n\n\n\n

Similar to the first case, the second case involves a fraudulent app that deceives users into providing personal information. Unlike the first case, the banking trojan in the second case is capable of stealing credit card details, putting users at risk of financial fraud. User information targeted by the fraudulent app to be sent to the attacker\u2019s C2 includes:<\/p>\n\n\n\n