An Android malware tracker named SikkahBot, active since July 2024 and explicitly targeting students in Bangladesh. Disguised as applications from the Bangladesh Education Board, SikkahBot lures victims with promises of scholarships, coerces them into sharing sensitive information, and requests high-risk permissions.
Once installed, it harvests personal and financial data, intercepts SMS messages, abuses the Accessibility Service, and executes automated banking transactions—including USSD-based operations.
Key Takeaways
- SikkahBot impersonates the Bangladesh Education Board to distribute fraudulent scholarship apps.
- Distribution occurs via shortened links redirecting victims to malicious APK download sites, likely through smishing campaigns.
- The malware harvests personal details and payment information (wallet number, PIN, payment type).
- Victims are coerced into granting Accessibility Service, SMS access, call management, and overlay permissions, enabling deep device control.
- SikkahBot intercepts bank-related SMS, abuses Accessibility Service to autofill credentials in bKash, Nagad, and DBBL apps, and executes automated USSD transactions.
- Active since July 2024, SikkahBot maintains low detection rates on VirusTotal, while newer variants showcase enhanced automation features, indicating continued development by threat actors.
CRIL’s investigation revealed that SikkahBot masquerades as official scholarship portals from the Bangladesh Education Board.
Victims receive phishing messages containing shortened URLs such as hxxps://bit[.]ly/Sikkahbord, hxxps://bit[.]ly/Education-2025, and hxxps://appsloads[.]top/govt[.]apk, which redirect users to APK download sites.
Upon installation, the app prompts students to log in with Google or Facebook, then requests personal details—name, department, and institute—and payment information, including wallet number, PIN, and payment type.
After registration, users are told a representative will contact them, but instead the malware activates its malicious capabilities.
Technical Analysis
Permission Abuse and Data Harvesting
Once installed, SikkahBot presents a settings screen that requests users to enable the Accessibility Service, grant SMS access, manage calls, and allow overlays. These high-risk permissions provide the malware with intrusive control over the device.
SMS Interception
SikkahBot registers an SMS broadcast receiver to monitor incoming texts for keywords related to bKash, Nagad, and MYGP, as well as numbers like 16216 and 26969.
Detected messages are forwarded to the attacker’s Firebase server at hxxps://update-app-sujon-default-rtdb[.]firebaseio.com.
Banking App Manipulation
By abusing the Accessibility Service, SikkahBot tracks user activity in three banking applications—bKash, Nagad, and Dutch-Bangla Bank.
When a targeted app is launched, the malware retrieves a PIN from the Firebase server and automatically injects it into login fields, bypassing user input.
Automated USSD Transactions
If victims avoid targeted banking apps, SikkahBot switches to USSD-based fraud. It fetches USSD codes and SIM slot details from the Firebase server, initiates calls, fills required fields in the USSD response dialog, and simulates taps on “SEND,” “send,” or “ok” buttons. This offline attack enables transactions without an internet connection.
Variant Evolution and Detection
SikkahBot’s initial samples relied on phishing and SMS interception for financial fraud. Since September 2025, CRIL observed enhancements incorporating Accessibility Service automation, indicating evolving tactics.
Despite its persistence since July 2024, SikkahBot’s variants maintain low detection rates on VirusTotal, underscoring the threat actors’ ability to evade traditional security measures.
SikkahBot represents a sophisticated, multi-faceted campaign targeting Bangladeshi students under the guise of scholarship assistance.
By combining phishing, SMS interception, Accessibility Service abuse, and offline USSD automation, attackers can harvest personal and financial data and execute unauthorized transactions.
The malware’s low detection profile and ongoing variant updates highlight the need for heightened mobile security controls, improved threat visibility, and proactive defense strategies.
Organizations and individuals alike should remain vigilant, scrutinize unsolicited scholarship-related downloads, and limit granting high-risk permissions to unverified apps.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
