An Android malware poses as legitimate Indian banking apps to steal credentials, intercept SMS, and execute unauthorized financial activities using advanced stealth and persistence techniques. It exploits Android permissions, employs Firebase for command-and-control, and uses phishing interfaces to deceive users. #AndroidBankingMalware #FirebaseC2 #CredentialTheft
Keypoints
- The malware uses a modular architecture with a dropper and main payload, requesting sensitive Android permissions to enable reconnaissance, silent installation, and persistence.
- It abuses permissions such as REQUEST_INSTALL_PACKAGES to silently install secondary payloads and hides its main activity to evade detection.
- The main payload steals credentials, intercepts and exfiltrates SMS messages, collects debit card information, and abuses call forwarding for unauthorized remote control.
- Firebase Realtime Database and Cloud Messaging are used as command-and-control infrastructure to receive commands and exfiltrate stolen data securely.
- The malware employs social engineering techniques including fake update popups, phishing pages mimicking banking apps, and permission abuse to trick users into installation and granting privileges.
- Delivery methods include smishing, phishing emails, fake app stores, malvertising, Trojan droppers, QR/NFC attacks, and exploitation of Android vulnerabilities like CVE-2025-27363.
- Recommendations include enforcing mobile app security regulations, enhancing threat intelligence filtering at ISP levels, deploying mobile EDR solutions, and restricting APK installations from unknown sources.
MITRE Techniques
- [T1476] Deliver Malicious App via Other Means – The malware is delivered via social engineering and phishing campaigns impersonating banking apps.
- [T1204.002] User Execution: Malicious File – Victims are tricked into executing the dropper by fake update popups.
- [T1409] Install Insecure or Malicious App – The dropper requests REQUEST_INSTALL_PACKAGES permission to silently install the main payload.
- [T1547.001] Boot or Logon Autostart Execution – Persistence achieved via AutostartHelper class triggering app restart on device boot.
- [T1406] Broadcast Receivers – Used to monitor system events and maintain persistence.
- [T1414] Input Capture – Credential harvesting modules capture banking credentials and debit card details through phishing interfaces.
- [T1421] Capture SMS Messages – The malware intercepts incoming SMS for OTPs and 2FA codes.
- [T1402] Broadcast Receivers – Employed for collecting SMS and system events.
- [T1409] Access Stored Application Data – The app accesses and stores local data persistently.
- [T1424] Process Discovery – Used to gather system information.
- [T1426] System Information Discovery – The malware collects phone state and SIM information for profiling.
- [T1437] Application Layer Protocol – Firebase Realtime Database used for command and control communication.
- [T1573] Encrypted Channel – Commands and data exfiltration occurs over secure Firebase channels.
- [T1407] Download, Install, or Load Code from Remote Sources – Secondary payloads are loaded and installed remotely.
- [T1445] Hide Application Icon from App Launcher – The main payload hides its app icon to evade user detection.
- [T1496] Resource Hijacking – Abuse of call forwarding and SMS sending for malicious control.
- [T1430] Exfiltration Over Alternative Protocol – Data exfiltrated via Firebase cloud services.
Indicators of Compromise
- [File Hash] Malicious APKs – ee8e4415eb568a88c3db36098b7ae8019f4efe565eb8abd2e7ebba1b9fb1347d (dropper), 131d6ee4484ff3a38425e4bc5d6bd361dfb818fe2f460bf64c2e9ac956cfb13d (main payload)
- [Firebase Configuration] Command and Control – Firebase API keys, sender IDs, app IDs embedded in malware for C2 communication
- [File Names] Banking app phishing pages – activity_finalscreen.xml, activity_debit.xml, activity_customer.xml, activity_account.xml
Read more: https://www.cyfirma.com/research/android-malware-posing-as-indian-bank-apps/