Android Malware Targeting Indian Banks

Summary

CloudSEK’s Customer Threat Research Team discovered a malware sample in the wild (ITW) that targeted the customers of Indian Banks.
Category: Malware IntelligenceIndustry:
BFSI
Region: IndiaSource*: A2

Executive Summary

CloudSEK’s Customer Threat Research Team discovered a malware sample in the wild (ITW) that targeted the customers of Indian Banks.

Analysis:

Analyzing the APK’s using CloudSEK’s security search engine for mobile applications BeVigil we discovered source code, inner functionality of malware, permissions used and URL endpoints to which malware was communicating.
Delivery:

The malware was delivered upon submitting a form that requested information such as Name, Mobile Number and Email Address.
What’s Exfiltrated?

Analyzing the APK file we discovered the malware is capable of stealing Credit/Debit Card information, net banking passwords and SMS to read/submit One Time generated passwords on the victim's behalf.

Note: We believe it is an ongoing activity since multiple samples targeting prominent banks from India were discovered in the last 3 months.

Information from Technical Analysis

The malicious app is tricking the victims into giving up their Card details and netbanking passwords by luring them using financial rewards.

The malicious app is using the official logo of Indian banks to trick victims into believing that the app is legitimate , which can be used to redeem reward points.

Device Permissions

The app requires a number of permissions while being installed on an android device. Many of these permissions are classified in the dangerous permissions category.

Permissions required by the Malware
Permissions required by the Malware

These dangerous permissions include permission to read the device call logs, read contacts, read SMS, receive SMS, get and authenticate accounts.

Dangerous Permissions
Dangerous Permissions

These permissions allow the malware to steal sensitive information from the victim’s device, read and receive SMS, get information about the accounts being used on the device, use these accounts for authentication and even create new accounts.

Persistence Mechanism

The app uses intent filters with high priority to know about the device reboot to maintain persistence.

The high priority-999 allows the malware to know about the boot change as soon as there is any change.
The high priority-999 allows the malware to know about the boot change as soon as there is any change.

The high priority-999 allows the malware to know about the boot change as soon as there is any change. This allows the malware to restart its broadcast receiver to receive any kinds of broadcasts sent across the system by the device OS or other apps.

Data Exfiltration

The source code to the APK is present at https://bevigil.com/src/in.kotak.rewards/source%2Fsources%2Fin%2Fkotak%2Frewards%2FAutoStartService.java

The malware is exfiltrating all the SMS and Call logs from the Victims device to its C2 server.

Code for exfiltrating SMS

Code for exfiltrating Call logs
Code for exfiltrating Call logs

It is important to note that all the exfiltrated data is being encrypted before sending it to the C2 server.

Encryption Key used for Encryption

Encryption Key used for Encryption
Functions for encryption and decryption
Code snippet showing SMS data being encrypted before exfiltration

Command & Control

Based on the static code analysis of the malware, we can say that the malware is not just stealing data but could also be used to execute commands sent by the Threat Actor.

These commands can be sent by the attacker to the victim device to make the malware perform certain actions like uploading SMS, call logs to the C2 and even putting the device on Silent Mode.

As the malware takes the audio manager permission during install, putting the victim on silent mode is done just before the Threat Actor tries to use the victim’s credit card to make any purchase or transaction to make the victim not notice the OTP of transaction related SMS.

Once the SMS has been uploaded to the C2, the malware can also delete the SMS, so that the victims can not find the SMS whenever they check their phones.

Function to delete SMS from Victim device
Function to delete SMS from Victim device

IOCs

Indicator TypeIndicator
FileHash-SHA256f85199a4960e5e1c4bd7843e767a632e5e41454baffe5056a93c2895682f82f6
FileHash-SHA256007962b4a6813c099e0f682f2b6691427251dee74c7bf949b901ec0f757eace6
FileHash-SHA2567e90de4066c81234c54545c2d28071f2c9803e4852d3e9177bd40535fc0698ba
FileHash-SHA256b9c0f27faecae624455615b90e31169fe2a4a189da36a0ac47c39ad830ba39be
FileHash-SHA256a054d73ae44caf9a8cadaa50e129bf2d6ecd66a89794e13ccfc68b3b8cdd04f6
FileHash-SHA256f8677fbacd926fca9fb55239d9491573341c1546cd2ec59e5acc49d43bcf1586
FileHash-SHA256e03b9badfdd85992c8c9f79e25d5975d08b550206f7beb561c5983b3ff1f36b8
FileHash-SHA256642ef960b21d719de2adeecfcd4b16ad6cef9e120ebc24c309e0788317970521
Domainbank-app1121[.]herokuapp[.]com
Domainemail-verify99[.]herokuapp[.]com
Domaintestdata112[.]orgfree[.]com
Domaintestchat8564[.]herokuapp[.]com
Domaindatasmsalluser[.]in
Domainserver5569[.]herokuapp[.]com

Table of Contents

Request an easy and customized demo for free