Info-stealing Android malware masquerading as banking rewards apps; targeting Indian banks’ customers

Microsoft's investigation of a new version of a previously reported info-stealing Android malware has demonstrated the continuous evolution of mobile threats and the need to protect mobile devices.

This new version, masquerading as a banking rewards app, has additional remote access trojan (RAT) capabilities and is currently being used to target customers of Indian banks.

According to the Microsoft 365 Defender Research Team, the malware is delivered through an SMS campaign, which sends out messages containing a malicious link that leads to installing a malicious APK on a target’s mobile device. To lure users into accessing the link, the SMS claims that the user is being notified to claim a reward from a known Indian bank.

Microsoft's investigation focused on icici_rewards.apk (package name: com.example.test_app), which presents itself as ICICI Rewards. When a user interacts, it displays a splash screen with the bank logo and asks the user to enable permissions - text messaging, contacts and device - for the app.

Once the permissions are granted, the fake app asks for credit card information. The app then displays another fake screen with further instructions to add to its legitimacy once users supply the information needed.

The malware also enabled an infected device’s silent mode, allowing attackers to catch 2FA messages undetected, further facilitating information theft.

The malware's wider SMS stealing capabilities might allow attackers to the stolen data to further steal from a user's other banking apps. Its ability to intercept one-time passwords (OTPs) sent over SMS thwarts the protections provided by banks' two-factor authentication mechanisms, which users and institutions rely on to keep their transactions safe. Its use of various banking and financial organizations’ logos could also attract more targets in the future, the Microsoft security researchers noted.

Mitigation

Microsoft recommends these steps to protect your devices from fake apps and malware:

• Avoid clicking on unknown links received in SMS messages, emails, or messaging apps.
• Seek your bank’s support or advice on digital options for your bank.
• Download and install banking applications only from official app stores.
• Android device users can keep the Unknown sources option disabled to stop app installation from unknown sources.
• Use mobile solutions such as Microsoft Defender for Endpoint on Android to detect malicious applications.