Android Malware Posing As Indian Bank Apps

July 25, 2025, 12:37 p.m.

Description

This report analyzes a sophisticated Android malware targeting Indian banking apps. The malware uses a dropper and main payload structure, leveraging permissions like SMS access and silent installation to steal credentials, intercept messages, and perform unauthorized financial activities. It employs Firebase for command and control, phishing pages to mimic banking interfaces, and techniques like call forwarding abuse. The malware's modular architecture, evasion tactics, and persistence mechanisms pose significant threats to mobile banking security. Distribution methods include smishing, fake websites, and malvertising. The report provides detailed static and dynamic analysis, highlighting the malware's capabilities in data exfiltration, debit card harvesting, and remote command execution.

External References

https://www.cyfirma.com/research/android-malware-posing-as-indian-bank-apps
https://otx.alienvault.com/pulse/68835c6fda683e2a665d5722
Tags
phishing
android
credential-theft
trojan
banking
firebase
2025-07-25
call-forwarding
sms-interception

Date

  • Created: July 25, 2025, 10:29 a.m.
  • Published: July 25, 2025, 10:29 a.m.
  • Modified: July 25, 2025, 12:37 p.m.

Indicators

  • ee8e4415eb568a88c3db36098b7ae8019f4efe565eb8abd2e7ebba1b9fb1347d
  • 131d6ee4484ff3a38425e4bc5d6bd361dfb818fe2f460bf64c2e9ac956cfb13d
Download all indicators here!

Attack Patterns

Additional Informations

  • Finance
  • British Indian Ocean Territory
  • India