KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft

MITRE Techniques

• [T1660 ] Phishing – Used to socially engineer victims into installing the APK and entering credentials (‘masquerading as a “Banking KYC” verification service’).
• [T1541 ] Foreground Persistence – Maintains persistent execution and resists termination by requesting battery optimization exemption and WAKE_LOCK (‘Requests battery optimization exemption’ / ‘Uses WAKE_LOCK for continuous background operation’).
• [T1603 ] Scheduled Task/Job – Implements persistent background tasks and periodic heartbeat/ping messages to the C2 (‘Ping Response / Heartbeat (Connection Keep-Alive)’ and periodic sendLog PONG messages).
• [T1628 ] Hide Artifacts – Conceals components and reduces visibility by hiding the final payload from the launcher (‘Final payload hidden from launcher to reduce visibility’).
• [T1628.002 ] Hide Artifacts: User Evasion – Omits LAUNCHER category and suppresses UI presence to evade user detection (‘The application’s main activity … intentionally omits the LAUNCHER category’).
• [T1406 ] Obfuscated Files or Information – Uses XOR-based runtime decryption and native .so storage to obfuscate payloads and config (‘Embedded encrypted payload is decrypted at runtime using XOR-based logic’ / ‘Sensitive logic stored inside libnative-lib.so’).
• [T1417 ] Input Capture – Staged WebView phishing interfaces capture credentials and personal data (‘WebView-based phishing … prompts users to enter sensitive information such as mobile number and ATM PIN’).
• [T1414 ] Input Capture – Captures input via WebView and staged phishing screens for multiple sensitive fields (‘Multi-stage credential harvesting: Mobile number and ATM PIN; Aadhaar number and date of birth; Card details including number, expiry, CVV, and PIN’).
• [T1636.004 ] Protected User Data: SMS Messages – Intercepts and forwards incoming SMS and performs full inbox extraction (‘SMS interception and forwarding in real time’ / ‘Full SMS inbox extraction capability’).
• [T1636.002 ] Protected User Data: Call log – Collects and abuses call-related data and control capabilities (‘Remote SMS sending and call initiation’ / ‘Call control operations’).
• [T1616 ] Call Control – Initiates calls and manipulates call forwarding via USSD and TelecomManager.placeCall() (‘Remote initiation of voice calls’ / ‘Call Forwarding Control (USSD Execution)’).
• [T1418 ] Software Discovery – Queries installed packages and checks for the presence of the secondary payload (‘Within its manifest, the application explicitly queries for the package com.am5maw3.android’).
• [T1426 ] System Information Discovery – Gathers device identifiers and status for telemetry and heartbeat messages (‘device_id, timestamps, and event metadata’ and battery level collection for PONG messages).
• [T1422 ] Internet Connection Discovery – Implements full-tunnel VPN and inspects network state to control connectivity and evade cloud checks (‘Full-tunnel VPN configuration (10.0.0.2)’ / ‘Routes all device traffic through an application-controlled layer’).
• [T1437 ] Application Layer Protocol – Uses HTTP POST to exfiltrate structured JSON data to C2 endpoints (‘HTTP POST exfiltration to jsonapi[.]biz’).
• [T1437.001 ] Application Layer Protocol: Web Protocols – Employs web protocols (HTTPS) for command and data transport to backend (‘https://jsonapi.biz’ used for API communication and exfiltration).
• [T1521 ] Encrypted Channel – Encrypts collected data locally before transmission to the C2 (‘All collected data encrypted locally before transmission’).
• [T1481 ] Web Services – Uses backend web services for storage and command coordination (structured logging and remote command delivery via Firebase and jsonapi[.]biz) (‘Structured logging with device ID, timestamps, and event metadata’).
• [T1646 ] Exfiltration Over C2 Channel – Exfiltrates harvested credentials and logs via encrypted POSTs to the C2 domain (‘The final encrypted payload is then sent asynchronously via POST to the resolved API path for log exfiltration’).