A sophisticated Android malware campaign has emerged in recent months, targeting students in Bangladesh by masquerading as legitimate scholarship applications.
Disguised under the guise of the Bangladesh Education Board, these fraudulent apps promise financial aid and entice unsuspecting users to download APKs from shortened URLs.
Once installed, the malware covertly harvests personal and financial information, intercepts SMS messages, and even abuses device permissions to conduct unauthorized banking transactions.
Its low detection rate on VirusTotal suggests that threat actors behind this campaign have invested considerable effort in evading traditional security controls.
Initial distribution relies heavily on smishing campaigns, where students receive SMS links that redirect them to malicious APK hosting sites such as appsloads.top and downloadapp.website.
The lure of a scholarship application, complete with official logos and academic terminology, lowers users’ guard and increases the likelihood of installation.
After installation, the app prompts victims to sign in via Google or Facebook and enter sensitive details including full name, department, and institute affiliation.
Cyble analysts noted that this early stage of social engineering is critical to building trust and collecting the information required for subsequent attacks.
Following credential harvesting, the malware advances to request high-risk permissions, including Accessibility Service, SMS access, overlay, and call management rights.
Researchers identified that once these permissions are granted, the app registers an SMSBroadcastReceiver to capture incoming texts containing keywords associated with major Bangladeshi banks (e.g., “bkash,” “NAGAD,” “MYGP”) and specific USSD service codes.
The intercepted messages are then forwarded to a Firebase-hosted command and control (C2) server, enabling remote attackers to coordinate further malicious activities.
Upon successful permission escalation, SikkahBot shifts into its most dangerous phase: automated banking transactions.
Exploiting the Accessibility Service, the malware continuously monitors foreground applications and, when detecting targeted banking apps such as bKash, Nagad, or Dutch-Bangla Bank, retrieves one-time PINs from the C2 server.
A brief code snippet illustrates the process of injecting user input:-
AccessibilityNodeInfo node = rootNode.findFocus(AccessibilityNodeInfo.FOCUS_INPUT);
Bundle args = new Bundle();
args.putCharSequence(AccessibilityNodeInfo.ACTION_ARGUMENT_SET_TEXT_CHARSEQUENCE, pin);
node.performAction(AccessibilityNodeInfo.ACTION_SET_TEXT, args);
node.performAction(AccessibilityNodeInfo.ACTION_CLICK);This routine allows automated login without user interaction.
.webp "Beware of Fraudulent Scholarship Apps Attacking Students in Defarud Campaign 3")
If banking apps are inactive, the malware executes USSD codes received from the server, filling input fields and invoking buttons labeled “SEND” or “OK” within the USSD dialog to initiate fund transfers without an active internet connection (see Figure 8 – Dialing USSD code).
Infection Mechanism and Persistence
SikkahBot’s infection mechanism is a blend of social engineering and stealthy permission abuse.
After the initial APK installation, the malware copies its APK file to a hidden directory and registers as a device administrator, ensuring that uninstallation attempts prompt administrative lock notifications.
It injects receiver components into the AndroidManifest.xml to persist across reboots, and periodically contacts the Firebase C2 endpoint at https://update-app-sujon-default-rtdb.firebaseio.com to fetch new modules.
.webp "Beware of Fraudulent Scholarship Apps Attacking Students in Defarud Campaign 4")
By abusing the Accessibility Service, the malware can re-enable its own services if they are disabled by security-conscious users.
The combination of persistent device administrator rights, manifest-declared receivers, and periodic C2 polling makes SikkahBot exceptionally resilient against removal and detection.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
