SMS scam tricks Indian bank customers into installing malicious apps

SMS scam tricks Indian bank customers into installing malicious apps

Zscaler’s ThreatLabz researchers recently observed the emergence of a sophisticated phishing campaign being propagated via fake banking websites targeting major Indian banks such as HDFC, AXIS and SBI. The team will continue to monitor the new situation and will provide an update on any important new developments. In the past, ThreatLabz researchers have observed Indian bank customers being targeted with fake complaint forms from phishing websites that spread Short Message Service (SMS) malware. In contrast, this new campaign exploits fake card renewal websites to spread Android-based phishing malware aimed at collecting banking information for financial fraud.

Campaign 1: Targeting HDFC and Axis banks

Threatlabz ​​researchers observed domains serving links for fake banking related application downloads as shown in Fig.1 and Fig.2 below.

Fig 1. Impersonated phishing website targeting HDFC bank customers

Fig 2. Imitation phishing page aimed at Axis bank customers

The two screenshots shown above show how these phishing scammers pretend to be bank websites to get customers’ sensitive information by encouraging them to fill out fake applications to redeem their earned card points for cash or a voucher. In most cases, these sites are spread through SMS text messages to victims. When a user clicks on the contained link, the victim is prompted to install an Android-based phishing malware designed to steal critical financial data.

Fig 3. Phishing Page for HDFC Bank Credit Card Application

Upon opening the app, the user will see the fake page as shown in Fig. 3, which asks them to enter sensitive information, including card number, expiration date, cardholder name, phone number, DOB, etc., to redeem points for cash or coupons, shown in the screenshot above. When the victim submits sensitive information in the fake form, the malware sends a copy to the command-and-control server (C2) shown in the screenshot below.

See also  How to register for Telegram without a SIM card

Fig 4. Creation of a phishing page in the app and C2

Upon the second run or completion of the requested tasks, a timer screen is displayed to the user, revealed in the code shown in Fig. 5 below.

Fig. 5. The last page is shown to the user as the second snap in Fig. 3

After receiving all of the victim’s sensitive form-filling information, including card details, the threat actor is now able to initiate fraudulent financial transactions. All they need to carry out the attack is a one-time password (OTP).

To collect the OTP, victims are further asked to give SMS permission to access the malicious app at the time of installation. When the user grants this access to SMS permissions, the malware is able to exfiltrate received SMS text messages containing the OTP codes they need. To complete a transaction initiated using the user’s card details, the application will capture the OTP codes and forward them to the C2 server.

Fig 6. Writing phishing data in shared preferences and MFA extraction

This malware also uses a masking technique that prevents it from running again. It writes data in the modifiable shared preferences using the initial installation data written in the “time” object as a reference point to block users from viewing the card’s phishing page again.

Fig 6. Obfuscation to not load the phishing page after the first run

Campaign 2: Targeting SBI bank customers with KYC verification scam

In other campaigns, ThreatLabz researchers observed adversaries sending SMS text messages asking users to immediately update their “Know Your Customer” (KYC) identity verification bank requirement or perform some other similar urgent action to avoid account blocking or locking. This false sense of urgency, created by adversaries, is very effective in convincing victims to perform the requested action, including downloading apps to perform the task. In the cases observed in this article, all of these requests were fake, and the attacks infected users with malicious apps and stole personal banking information.

See also  Item-level receipt data startup Banyan raises $43 million

The screenshot below shows an attack where the user is asked to download a malicious app to unlock their account.

Fig 7. Smishing campaigns

Unlike campaign 1 where applications were seen using fake in-app login pages, in this SBI bank KYC verification scam campaign, applications rely on command servers to render the phishing pages. ThreatLabz researchers believe that this is how the malware authors are able to create new campaigns so quickly, as only a few changes like updating C2 destinations are required to create a new campaign.

The application starts by asking users to login to a fake SBI bank website and then update the KYC verification, shown in fig. 8 below.

Fig 8. Fake login page redirect is hosted on firebase

Users are navigated through a number of web pages located on firebase when they enter their bank credentials, mobile number etc., shown in fig 9.

Fig 9. Phishing of login data is used to steal bank credentials

The user is asked to enter an OTP during each fake update step to make the application appear legitimate, shown in Fig. 10 below, this tactic can also be used to steal the OTP and gain access.

Fig 10. Ask users for OTP

The user is directed to a page and asked to provide bank information, shown in fig. 11 below. Along with the bank details, the user is asked to enter their Permanent Account Number (PAN).

Fig. 11. The application asks the user to provide sensitive bank information

Apart from collecting OTPs through phishing sites, malware developers have also implemented code routines to retrieve OTPs from incoming SMS text messages and send them to a secondary C2 as well as a hard-coded phone number, as shown below.

See also  Apple allows in-app NFTs in the App Store, but waives the 30% fee on transactions

Fig 12. Code to send incoming SMS data to C2

Fig 13. Testing SMS data exfiltration to static number

Fig 14. Traffic showing data upload to an external server

The Zscaler sandbox is capable of detecting malware threat behavior and techniques.

Fig 15. Zscaler sandbox report showing detection of malicious applications

Zscaler advises users not to install any unknown applications sent via SMS text messages, especially if the messages identify themselves with a financial institution or bank, this is a common practice used by threat actors to impose a false sense of urgency on users immediately without further investigation.

Indicators of Compromise (IOC)

Campaign 1 IOCs


hxxps[://]update your card[.]i/HDFC_creditcard[.]apk
hxxps[://]map update[.]in/
hxxps[://]map update[.]in/



Campaign 2 IOCs


hxxps[://]kyc update app[.]web[.]app/SBI-KYC[.]apk
hxxps[://]point dekho[.]xyz/save_sms[.]php
hxxps[://]sbi kyc points[.]web[.]app/sbi-kyc[.]apk
hxxps[://]sbi kyc points[.]firebase app[.]com/sbi-kyc[.]apk
hxxps[://]sbi-kyc-update-immediate[.]firebase app[.]com/sbi-kyc[.]apk
hxxps[://]please-visit now-immediately[.]no/SBI-KYC[.]apk
hxxps[://]publishing of India[.]top/SBI-KYC[.]apk



*** This is a Security Bloggers Network syndicated blog from the Blog Category Feed written by Himanshu Sharma. Read the original post at:

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *