A sophisticated new Android malware campaign has emerged targeting Indian banking customers through convincing impersonations of popular financial applications.<\/p>\n
The malicious software<\/a> masquerades as legitimate apps from major Indian financial institutions, including SBI Card, Axis Bank, Indusind Bank, ICICI, and Kotak, deceiving users into downloading fake applications that steal sensitive financial information.<\/p>\n The malware operates through carefully crafted phishing websites that closely replicate official banking portals, incorporating authentic visual elements and branding to establish credibility.<\/p>\n These fraudulent sites feature prominent \u201cGet App\u201d and \u201cDownload\u201d buttons that prompt unsuspecting users to install malicious APK files<\/a> disguised as official banking applications.<\/p>\n The campaign specifically targets Hindi-speaking users across India, leveraging cultural and linguistic familiarity to enhance its deceptive effectiveness.<\/p>\n McAfee researchers identified<\/a> this threat as particularly dangerous due to its dual-purpose architecture that combines traditional banking fraud with cryptocurrency mining capabilities.<\/p>\n The malware not only harvests personal and financial data but also silently mines Monero cryptocurrency on infected devices, maximizing the attackers\u2019 financial gains from each compromised device.<\/p>\n What distinguishes this campaign from conventional banking trojans is its sophisticated evasion mechanisms and remote activation capabilities.<\/p>\n Upon installation, the malware<\/a> presents users with a fake Google Play Store interface suggesting an app update is required.<\/p>\n This deceptive tactic builds user confidence while the malware prepares its malicious payload.<\/p>\n The malware employs a sophisticated two-stage payload delivery system designed to evade static analysis and detection.<\/p>\n Initially functioning as a dropper, the application stores an encrypted DEX file within its assets folder, which serves as the first-stage loader component.<\/p>\n This encrypted payload is obfuscated<\/a> using XOR encryption, preventing immediate detection by security scanners.<\/p>\n The first-stage loader decrypts and dynamically loads a second encrypted file containing the actual malicious payload.<\/p>\n This layered approach ensures that no clearly malicious code appears in the main APK file, complicating forensic analysis and automated detection systems.<\/p>\n Once the final payload executes, it presents victims with convincing fake banking interfaces that capture sensitive information including card numbers, CVV codes, and personal details.<\/p>\n The cryptocurrency mining<\/a> functionality operates through Firebase Cloud Messaging, allowing attackers to remotely trigger mining operations using XMRig software.<\/p>\n The malware downloads encrypted mining binaries from hardcoded URLs and executes them using ProcessBuilder, generating Monero cryptocurrency while remaining largely undetected on infected devices.<\/p>\n Integrate\u00a0ANY.RUN TI Lookup<\/strong>\u00a0with your SIEM or SOAR To Analyses Advanced Threats<\/strong>\u00a0->\u00a0Try 50 Free Trial Searches<\/a><\/strong><\/p>\n The post New Android Malware Mimics as SBI Card, Axis Bank Apps to Steal Users Financial Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh-e1t-a6IpqR1n4wA33_4Q7i1knd67efTOk9tcz1CTSmUOnpiGMHFito_yjFt4ckTtxpjEu6rA0jMtKc70dKthO6l2AHL0DIPq86jUjuxziPlIt7IpeVJgcvW61MeGJdPKWMgoTSNgRNOkMoDEJe6Fagrq2oP3R7t5PtH32MZGfutEah6djdPvkgknQlg\/s16000\/Phishing%2520website%2520%28Source%2520-%2520McAfee%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhimE2XwOyn2IP4Ezvr3g7zYvhzEu28M7ZURWgbZpePBZsTAUnM5tm5EY2kgvf6qHm2DnAEFyy5Xqf9xPPfJ-f4-YC-FQ9O8H_902IYAW5iNtdd-N39xOZ7VSyHYg5GIoY6oyoCu_MWqh3lHu01FkolfsvjUSNO7x9uYUs8wBb2-lHFYHsyyXCILoyJc6I\/s16000\/Initial%2520screen%2520shown%2520by%2520the%2520dropper%2520app%2520%28Source%2520-%2520McAfee%29.webp?ssl=1\")
Advanced Payload Delivery and Execution Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiIEbrVvcVoy2P1dxjh5wpXNM4sKFnvOQYeFJ3ts72BsyjRnsdu2URCe0fysRPY21UFaM2-lKLh3W7MVOl-Wmy9SAtjC34Pjbe3h1xvJ6UUCVn1OLJvzIYvMN67H6CPN0BAgp9JDGQ1RxyEVUTszSB62bGTTtnzjfzQuTKCAqL_9j3Kg1UutQYG4EWXy10\/s16000\/Fake%2520card%2520verification%2520screen%2520%28Source%2520-%2520McAfee%29.webp?ssl=1\")