Phishing campaign delivers Android banking malware for fraudulent transactions

September 1, 2024
Phishing Campaign Android Banking Malware Fraud Scammers Threat Alert

During a routine investigation, Red Team observed a phishing campaign tricking potential victims, offering banking services such as card activation, blocking of cards, reward point redemption, credit card limit increase, and more.

The phishing website intends to spread Android malware via targeted campaigns, which could potentially be distributed to users via various communication channels such as SMS, Messaging Apps, or social engineering techniques.

It has been observed in similar campaigns that cyber criminals use phishing sites to host the malicious Android apk. They have planned infrastructure (Anonymous Domain Registrar & Bulletproof Hosting) in such a way that it can be easy to host phishing sites in bulk and also helps expose minimal fingerprints for the researchers & law enforcement to trace them easily.

Modus Operandi

  1. The potential victim is tricked into installing the Android malware by the attacker.
  2. Once the user has installed the application and is given the required permissions by the mobile app, the attacker further asks the user to fill out a series of sensitive personal & banking information in the mobile app.
    Following are the input fields mobile app:
    – Aadhar Number
    – Address
    – CVV
    – Cardholder’s Name
    – Card Number
    – Date of Birth
    – Email
    – Mobile Number
    – Full Name
    – Outstanding Credit Limit
    – PAN Number, Reference
    – Total Credit Limit
    – Card Expiry Month and Year
  3. After collecting this information, the user is encouraged to keep the mobile app on the device for further verification to receive the promised rewards or other enticing benefits.
  4. The application has already obtained permission to read and view the device messages. Along with the submitted banking details, the attacker has all the necessary information to initiate the fraudulent transaction by asking for the user’s OTP.

Static Analysis of Malicious Android Application

We further tried to reverse the malicious Android application to understand its features and malicious behaviour. The following is a detailed analysis of the mobile APK.

  1. APK Identity & Signature: The mobile application UI (User Interface) used the official logo & name of the targeted banking entity.
  2. Suspicious Permission: The mobile application is suspected of asking for SEND & VIEW SMS messages, which attackers use to steal user device text messages, such as OTPs and transactions.
    Upon execution, the following are the permissions requested by the mobile application:
    Post Notifications: The app can post notifications to keep you informed about important updates, messages, or alerts.
    Access External Storage: The app can read data from external storage, including photos, documents, or other files stored on your device.
    Read SMS Messages: The app can access and read SMS messages stored on your phone or SIM card. Malicious applications could misuse this permission to read your private messages without your knowledge.
    Receive and Process SMS Messages: The app can receive and process incoming messages. Malicious apps with this permission could monitor your messages or even delete them without displaying them.

  3. Data Exfiltration: C2 (Command & Control) Communication
    The mobile application is communicating with a Command and Control (C2) server, which sends user device data to their database.
    The C2 server was created on August 22, 2024, at 11:05:23 AM (UTC). The server features a login page and a sign-up page; however, the sign-up functionality appears non-operational. This C2 server likely has a database to store the data collected from the app.


    Given this, it’s essential to know that the server’s operators might store and misuse your personal information. Always exercise caution when dealing with suspicious applications and report any potentially harmful software to the relevant authorities.
    Indicator of Compromise (IOC):
    Domain: my.rewardzpoints.com/
    Domain: deskboardapp.com
    IP: 162.241.123.15
    IP: 162.241.123.153
    SHA256: b67ad9bd87e12f9521f461f7a06c77125969e4ce86a32618cf63a2878112b46d

Final Words

Attackers exploit users’ greed for rewards, luring them into sharing sensitive information without verifying the app’s legitimacy. Combined with well-crafted social engineering tactics, attackers can make illegal financial transactions. To protect against such threats, we strongly advise citizens to avoid downloading any third-party applications from untrusted sources and sharing sensitive information with unknown entities on third-party websites.

Stay vigilant and stay safe.

About the author

Leave a Reply