New Android Malware Mimics as SBI Card, Axis Bank Apps to Steal Users Financial Data

New Android Malware Mimics as SBI Card, Axis Bank Apps to Steal Users Financial Data

A sophisticated new Android malware campaign has emerged targeting Indian banking customers through convincing impersonations of popular financial applications.

The malicious software masquerades as legitimate apps from major Indian financial institutions, including SBI Card, Axis Bank, Indusind Bank, ICICI, and Kotak, deceiving users into downloading fake applications that steal sensitive financial information.

The malware operates through carefully crafted phishing websites that closely replicate official banking portals, incorporating authentic visual elements and branding to establish credibility.

Google News

New Android Malware Mimics as SBI Card, Axis Bank Apps to Steal Users Financial Data
Phishing website (Source – McAfee)

These fraudulent sites feature prominent “Get App” and “Download” buttons that prompt unsuspecting users to install malicious APK files disguised as official banking applications.

The campaign specifically targets Hindi-speaking users across India, leveraging cultural and linguistic familiarity to enhance its deceptive effectiveness.

McAfee researchers identified this threat as particularly dangerous due to its dual-purpose architecture that combines traditional banking fraud with cryptocurrency mining capabilities.

The malware not only harvests personal and financial data but also silently mines Monero cryptocurrency on infected devices, maximizing the attackers’ financial gains from each compromised device.

What distinguishes this campaign from conventional banking trojans is its sophisticated evasion mechanisms and remote activation capabilities.

Upon installation, the malware presents users with a fake Google Play Store interface suggesting an app update is required.

New Android Malware Mimics as SBI Card, Axis Bank Apps to Steal Users Financial Data
Initial screen shown by the dropper app (Source – McAfee)

This deceptive tactic builds user confidence while the malware prepares its malicious payload.

Advanced Payload Delivery and Execution Mechanism

The malware employs a sophisticated two-stage payload delivery system designed to evade static analysis and detection.

Initially functioning as a dropper, the application stores an encrypted DEX file within its assets folder, which serves as the first-stage loader component.

This encrypted payload is obfuscated using XOR encryption, preventing immediate detection by security scanners.

The first-stage loader decrypts and dynamically loads a second encrypted file containing the actual malicious payload.

This layered approach ensures that no clearly malicious code appears in the main APK file, complicating forensic analysis and automated detection systems.

New Android Malware Mimics as SBI Card, Axis Bank Apps to Steal Users Financial Data
Fake card verification screen (Source – McAfee)

Once the final payload executes, it presents victims with convincing fake banking interfaces that capture sensitive information including card numbers, CVV codes, and personal details.

The cryptocurrency mining functionality operates through Firebase Cloud Messaging, allowing attackers to remotely trigger mining operations using XMRig software.

The malware downloads encrypted mining binaries from hardcoded URLs and executes them using ProcessBuilder, generating Monero cryptocurrency while remaining largely undetected on infected devices.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches


Source link