Attackers are weaponizing India\u2019s appetite for mobile banking by circulating counterfeit Android apps that mimic the interfaces and icons of public-sector and private banks.<\/p>\n
Surfacing in telemetry logs on 3 April 2025, the impostors travel through smishing<\/a> texts, QR codes and search-engine poisoning, tricking users into sideloading the packages.<\/p>\n During the initial execution window, a lightweight dropper decrypts and writes its true payload to external storage before prompting Android\u2019s installer via a forged update dialog.<\/p>\n Cyfirma analysts noted<\/a> that more than 7,000 devices attempted to contact the same Firebase Cloud Messaging (FCM) endpoint within 48 hours of discovery, underscoring the campaign\u2019s reach.<\/p>\n Permission abuse is central to the scheme. REQUEST_INSTALL_PACKAGES bypasses Play Protect, READ_SMS captures OTPs, and QUERY_ALL_PACKAGES gives the trojan a panoramic view of installed apps, laying groundwork for overlay attacks.<\/p>\n This installer shows the deceptive UI that harvests phone numbers, 4-digit MPINs and 3-digit CVVs which are instantly uploaded to a private Firebase Realtime Database.<\/p>\n Once credentials are secured, the malware<\/a> quietly diverts voice verification by issuing the USSD string *21<\/em>attackerNumber#, enabling unconditional call forwarding.<\/p>\n Persistence is obtained through a BOOT_COMPLETED receiver and the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS flag, allowing the process to survive both reboots and aggressive power-management routines.<\/p>\n Security teams warn that such tactics can facilitate full account takeover in minutes.<\/p>\n The dropper hides its secondary APK<\/a>, app-release.apk, in the assets directory and installs it silently through FileProvider.<\/p>\n The core logic fits in a few lines of Kotlin:-<\/p>\n If INSTALL_NOW executes without user oversight, PackageInstaller proceeds and the new payload masks itself by declaring only an INFO category activity\u2014no launcher icon appears.<\/p>\n On boot, AutostartHelper reenables services, while a SubscriptionManager call maps active SIM slots to numbers, ensuring every intercepted SMS is tagged with the correct sender before JSON exfiltration<\/a> through FCM.<\/p>\n Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis->\u00a0Try ANY.RUN now<\/a><\/strong><\/p>\n The post Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiX_niu3rByDy2vdxfmo1XWxQtiQYM9InDCOQC7xL3npXs1CWBQ6iGwjUnp4DWxQJLZVCCYNJ7aWT79u373QGdN9kLJpiBWcU4kJoVkXzz_as2WLHv9qa5-GTLjapVIBCLqu7snOiUMxEDjIIyzygcgTu66C9iaPcZ5Yzuvsk9chQNwBBhExfxL6hHSsq4\/s16000\/Silent%2520Main%2520APK%2520Installer%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
Infection Mechanism<\/strong><\/h2>\n
val apk = File(filesDir, \"app-release.apk\")\nassets.open(\"app-release.apk\").copyTo(apk.outputStream())\nval uri = FileProvider.getUriForFile(this, \"$packageName.provider\", apk)\nstartActivity(Intent(Intent.ACTION_VIEW).apply{\n setDataAndType(uri,\"application\/vnd.android.package-archive\")\n addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); putExtra(\"INSTALL_NOW\", true)\n})<\/code><\/pre>\n