Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials

Attackers are weaponizing India’s appetite for mobile banking by circulating counterfeit Android apps that mimic the interfaces and icons of public-sector and private banks.

Surfacing in telemetry logs on 3 April 2025, the impostors travel through smishing texts, QR codes and search-engine poisoning, tricking users into sideloading the packages.

During the initial execution window, a lightweight dropper decrypts and writes its true payload to external storage before prompting Android’s installer via a forged update dialog.

Cyfirma analysts noted that more than 7,000 devices attempted to contact the same Firebase Cloud Messaging (FCM) endpoint within 48 hours of discovery, underscoring the campaign’s reach.

Permission abuse is central to the scheme. REQUEST_INSTALL_PACKAGES bypasses Play Protect, READ_SMS captures OTPs, and QUERY_ALL_PACKAGES gives the trojan a panoramic view of installed apps, laying groundwork for overlay attacks.

This installer shows the deceptive UI that harvests phone numbers, 4-digit MPINs and 3-digit CVVs which are instantly uploaded to a private Firebase Realtime Database.

Once credentials are secured, the malware quietly diverts voice verification by issuing the USSD string *21attackerNumber#, enabling unconditional call forwarding.

Persistence is obtained through a BOOT_COMPLETED receiver and the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS flag, allowing the process to survive both reboots and aggressive power-management routines.

Security teams warn that such tactics can facilitate full account takeover in minutes.

Infection Mechanism

The dropper hides its secondary APK, app-release.apk, in the assets directory and installs it silently through FileProvider.

The core logic fits in a few lines of Kotlin:-

val apk = File(filesDir, "app-release.apk")
assets.open("app-release.apk").copyTo(apk.outputStream())
val uri = FileProvider.getUriForFile(this, "$packageName.provider", apk)
startActivity(Intent(Intent.ACTION_VIEW).apply{
    setDataAndType(uri,"application/vnd.android.package-archive")
    addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION); putExtra("INSTALL_NOW", true)
})

If INSTALL_NOW executes without user oversight, PackageInstaller proceeds and the new payload masks itself by declaring only an INFO category activity—no launcher icon appears.

On boot, AutostartHelper reenables services, while a SubscriptionManager call maps active SIM slots to numbers, ensuring every intercepted SMS is tagged with the correct sender before JSON exfiltration through FCM.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now