Fake Indian Banking Rewards Apps Targeting Android Users with Info-stealing Malware

An SMS-based phishing campaign is targeting customers of Indian
banks with information-stealing malware that masquerades as a
rewards application.

The Microsoft 365 Defender Research Team said that the messages
contain links that redirect users to a sketchy website that
triggers the download of the fake banking rewards app for ICICI
Bank.

“The malware’s RAT capabilities allow the attacker to intercept
important device notifications such as incoming messages, an
apparent effort to catch two-factor authentication (2FA) messages
often used by banking and financial institutions,” researchers
Shivang Desai, Abhishek Pustakala, and Harshita Tripathi said^[1].

Additionally, the malware is equipped with the ability to steal
SMSes, potentially enabling the attacker to swipe 2FA codes sent as
text messages and gain unauthorized access to victim accounts.

Like other social engineering attacks, familiar brand logos and
names are used in the smishing message as well as the rogue app in
a bid to give an illusion of legitimacy and trick the users into
installing the apps.

The attacks are also a continuation of an ongoing campaign^[2]
that has distributed similar rewards-themed apps for other Indian
banks such as the State Bank of India (SBI) and Axis Bank in the
past.

Once installed, the fraudulent app not only asks for extensive
permissions, but also requests users to enter their credit/debit
card information as part of a supposed sign-in process, while the
trojan waits for further instructions from the attacker.

These commands allow the malware to harvest system metadata,
call logs, intercept phone calls, as well as steal credentials for
email accounts such as Gmail, Outlook, and Yahoo.

“This malware’s continuing evolution highlights the need to
protect mobile devices,” the researchers said. “Its wider SMS
stealing capabilities might allow attackers to the stolen data to
further steal from a user’s other banking apps.”