Skip to content

Nearly 1000 malicious apps found targeting Indian Android users

  • by
  • 2 min read

Photo: Primakov / Shutterstock.com

Researchers have discovered a widespread malicious campaign targeting Android users in India. The campaign uses over 1,000 malicious apps and live phone numbers to redirect text messages. So far, around 1,000 phone numbers to harvest user information have come to light, and researchers have identified 900 malware samples associated with the campaign, majorly aimed at Indian banks.

Security researchers claim that a single threat actor orchestrates the attacks. Analysis of the collected samples shows shared code structures, user interface elements, and app logos, suggesting that the apps might have originated from a common codebase and single entity.

Zimperium also found over 220 publicly accessible Firebase storage buckets, with 2.5 GB of sensitive information such as SMS messages from banks, government ID data, and card and banking details. Estimates put the number of compromised users at around 50,000.

This is an image of hacked security illustration 11

These apps also include hard-coded phone numbers that receive the extracted OTPs and SMS messages. Tracking the hard-coded phone numbers leads to specific regions in India, such as West Bengal, Bihar, and Jharkhand, all previously known for their scammer or cybercrime activity.

Since malicious apps can’t be hosted on trusted app platforms, especially the Google Play Store. The campaign operators are sidestepping this by using WhatsApp to distribute APK files and impersonate government or banking apps. However, these apps install malware instead, which uses SMS permissions to intercept and extract messages containing sensitive banking information, including OTPs. The malicious apps also hide their icons and prevent users from uninstalling them to maintain persistence on compromised devices.

All the stolen information from these apps is sent to Firebase databases acting as Command and Control servers. To make matters worse, researchers found that the Firebase databases containing this stolen information lack authentication mechanisms, meaning they’re publicly accessible and therefore put anyone’s compromised details in front of the whole internet.

In the News: RBI announces exclusive ‘bank.in’ and ‘fin.in’ domains for extra security

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of cyber security hacked breach

Case study reveals Chinese hackers spent over 300 days in US electricity grid

This is an image of iphone with apple logo

Match Group, AIDF denied Apple’s confidential antitrust data

Photo: ascannio / shutterstock. Com

X’s outage can’t be traced by researchers and Musk alike

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

>