Skip to content

Android banking malware campaign exposes data of 50,000 Indian users

  • by
  • 4 min read

Photo: Rafapress / Shutterstock.com

A large-scale Android malware campaign is putting Indian banking customers at risk, with nearly 900 malicious apps designed to steal financial credentials and personal identification details and intercept SMS messages, including critical one-time passwords (OTPs) from approximately 50,000 users.

Unlike traditional banking trojans that rely exclusively on command-and-control (C&C) servers for OTP theft, this malware campaign integrates live phone numbers to redirect intercepted messages. Researchers from Zimperium identified around 1,000 unique phone numbers linked to the operation, potentially providing law enforcement with a digital trail to track the perpetrators.

The malware spreads through WhatsApp through APK files disguised as official banking or government apps. Once installed, these malicious apps trick users into divulging highly sensitive details, including Aadhaar Card numbers, PAN card numbers, credit and debit card details, ATM PINs and mobile banking login credentials.

ICICI, Punjab National Bank, RBL Bank, State Bank of India, IndusInd, and Union Bank were the primary targets of impersonation by threat actors.

This is an image of zimperium indianmalware banking ss2
Source: Zimperium

The malware hijacks bank-related messages and OTPs by exploiting SMS permissions, enabling unauthorised financial transactions. Additionally, it employs stealth techniques such as hiding its app icon and resisting uninstallation, ensuring long-term persistence on compromised devices.

“The proliferation of digital payments in India has led to an increase in mobile-based financial fraud. Given that OTP’s remain a critical authentication mechanism, threat actors are increasingly deploying SMS-stealing malware to bypass this security layer. By combining credential theft, SMS interception and phishing techniques, these actors can execute unauthorised transactions and drain victims’ bank accounts via their mobile devices,” researchers wrote in a report shared with Candid.Technology.

The research team identified three primary variants of the malware, each employing different methods of exfiltrating stolen data:

  • SMS forwarding variant: Captures and sends stolen SMS messages to an attacker-controlled phone number.
  • Firebase-exfiltration variant: Transfers stolen messages to a Firebase database acting as a makeshift C&C server.
  • Hybrid variant: Utilises both SMS forwarding and Firebase exfiltration for maximum data theft.

Researchers who analysed over 1,000 malicious applications linked to this campaign discovered advanced obfuscation and packing techniques designed to evade detection. Some variants contained hardcoded phone numbers, indicating that the attackers either control them directly or have compromised these numbers through fraud or coercion.

This is an image of zimperium indianmalware banking ss3
Source: Zimperium

A startling discovery in the investigation was the presence of over 222 publicly accessible Firebase storage buckets linked to the malware campaign. These buckets contained approximately 2.5 GB of sensitive data, affecting 50,000 Indian users. The exposed information included bank transaction-related SMS, banking and card details, and Aadhaar and PAN card numbers.

A significant vulnerability in the attackers’ operation was the lack of authentication on Firebase to anyone. Researchers found that these unsecured databases also contained administrative credentials and phone numbers used for SMS exfiltration.

Through phone number analysis, researchers traced the registrations of these numbers primarily to the states of West Bengal, Bihar, and Jharkhand, collectively accounting for 63% of the total. The malware’s administrative dashboard was another weak link in the attackers’ infrastructure. A feature labelled ‘Admin WhatsApp’ followed operatives to contact their superiors directly through WhatsApp indicating a multi-user operation with structured coordination.

This is an image of zimperium indianmalware banking ss1
Source: Zimperium

Researchers identified multiple financial institutions and government-backed financial schemes impersonated through deceptive app icons, furthering the spread of malware. They found that Jio Payments, Airtel Payments Bank, Bandhan Bank, Union Bank, and HDFC Bank led bank-related SMSes that researchers found in the exposed SMS data.

In the News: Thailand to cut power supply to Myanmar towns linked to Chinese scam

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

Related Reads

This is an image of malware featured security

DPRK’s KoSpy spyware targets SK, India, Russia, and Middle East

This is an image of honey featured 1

Google updates Chrome Extension policy after Honey scam

This is an image of apple featured 220923

Apple patches critical zero-day exploit targeting iPhones and iPads

This is an image of reliance jio featured 11

Jio is bringing Starlink to India in addition to Airtel

This is an image of scam call featured 2

India rescues 283 nationals trapped in cybercrime rackets in Southeast Asia

This is an image of coinbase featured 123

Coinbase secures FIU registration, confirms re-entry in India

>