Our examination of a fresh iteration of previously disclosed Android malware that steals user information through Reward points scam. They are also distributed through an ongoing SMS campaign that shows how mobile threats are always evolving. This latest version poses as a banking rewards programme and targets customers of Indian banks. These banks have greater remote access trojan (RAT) capabilities and are more disguised. The SMS campaign distributes messages with a link leading to the Android spyware that steals user information. With the use of the malware’s RAT capabilities, an attacker can ostensibly capture two-factor authentication (2FA) messages frequently employed by banks and other financial organizations. Also other crucial device notifications like incoming SMS.

The malware’s capacity to intercept all SMS messages is further worrisome because the information obtained can be used to further intercept users’ private information, such as 2FA messages for email accounts and other PII (PII).

Typical SMS campaign attack flow
Figure Typical SMS campaign attack flow

The Attack Flow

When we first became aware of this new Android spyware, it was through an SMS message. The message had a malicious link that caused us to download a phoney banking rewards app. In contrast to malware described as being comparable in 2021, the fake software, identified as TrojanSpy:AndroidOS/Banker.O, used a different bank name and logo. Based on open-source intelligence, we also discovered that this bogus app’s command and control (C2) server is connected to 75 additional malicious APKs. The false app that we looked at shares a logo with some of the malicious APKs, which could mean that the actors are continually creating new versions to maintain the campaign.

This blog describes our examination of the capabilities of the most recent version. Never click on unidentified links that you receive in SMS messages, emails, or chat apps, we highly advise consumers. Additionally, we advise consulting with your bank about digital solutions for your bank. In order to avoid installing malware, make sure that your banking apps are obtained from legitimate app shops.

Observed activity

What the user sees

We have observed further efforts based on the following app names that target clients of Indian banks:

  • Axisbank_rewards.apk
  • Icici_points.apk
  • Icici_rewards.apk
  • SBI_rewards.apk

Our analysis concentrated on icici rewards.apk, which poses as ICICI Rewards and carries the package name com.example.test app. The SMS campaign sends out messages with a malicious link that causes a target’s mobile device to download a malicious APK. The SMS states that the user is being alerted to claim a reward from a reputable Indian bank in order to entice consumers into opening the link.

text message with a malicious link sent to users
Figure The text message with a malicious link sent to users

When a user interacts with it, a splash screen with the bank’s logo appears, after which the user is prompted to grant the app certain permissions.

After receiving the necessary permissions, the fraudulent app requests credit card information. Given that apps normally only request sensitive information through user-driven interactions like making purchases. This should make consumers wonder about the app’s motivation.

Once users enter the required information, the software displays a second phoney screen with additional instructions to better establish its credibility.

A fake page where the app asks users to provide information
Figures A fake page where the app asks users to provide information, and the resulting message once data is added

Main Activity

Under the name com.example.test app.MainActivity, the term MainActivity—also known as the launcher activity—is specified. After installation, it is the first app to be launched in order to show the phoney app’s ICICI splash screen. Then, this launcher activity calls Permission Activity to start permission requests and the OnCreate() method to check the device’s internet connectivity and note the timing of the malware installation. Permission Activity then calls AutoStartService and login Kotak when permissions have been granted.

The user’s credit card information was taken by the class login Kotak. While it waits for commands from the attacker, it displays the false credit card input screen and temporarily stores the data in the device.

Mitigating the fake app’s unwanted extras

The ongoing evolution of this malware emphasizes the importance of safeguarding mobile devices. Because of its more extensive SMS theft capabilities, hackers might be able to utilize the stolen data to steal from a user’s other banking apps. The protections offered by banks’ two-factor authentication procedures, which customers and institutions rely on to keep their transactions secure, are thwarted by its capacity to intercept one-time passwords (OTPs) supplied over SMS. Future targets may be drawn in by its usage of logos from various banks and financial institutions.

Because Android is a very open operating system, installing apps is rather simple. Attackers frequently take advantage of this openness for their own advantages though. In addition to being extremely cautious while installing apps and clicking links in messages. They advised users to take the following actions to safeguard their devices from malware and phoney programmes:

  • Use only official app stores to download and install the software.
  • Users of Android devices can prevent the installation of apps from unknown sources by keeping the Unknown sources option deactivated.