A mobile malware campaign targeting Indian bank users has been identified, consisting of nearly 900 samples that exploit Android devices. The malware employs advanced techniques including SMS interception and phishing to steal sensitive financial information. Zimperiumβs detection engine identified significant vulnerabilities, including the exposure of over 2.5GB of sensitive data from unsecured Firebase storage. Affected: Indian financial institutions, mobile banking users
Keypoints :
- The malware campaign targets Indian banking customers through WhatsApp-distributed APK files.
- It uses techniques like SMS interception to steal OTPs and sensitive financial details.
- Over 900 malware samples have been identified, displaying common coding patterns.
- Exposure of 2.5GB of sensitive data impacting approximately 50,000 users due to misconfigured Firebase buckets.
- The malware is categorized as Trojan Bankers designed for financial theft.
- Three main variants of the malware were identified: SMS Forwarding, Firebase-Exfiltration, and Hybrid.
- The campaign signals an increase in digital fraud linked to mobile banking in India.
- Zimperium offers robust security solutions to combat such advanced threats.
MITRE Techniques :
- Initial Access (T1660) β Phishing: Malware distributed via phishing methods to gain access to devices.
- Persistence (T1624.001) β Event Triggered Execution: Broadcast Receivers: Uses broadcast receivers to monitor SMS events.
- Credential Access (T1417.002) β Input Capture: GUI Input Capture: Captures user interface elements for sensitive data entry.
- Credential Access (T1635) β Steal Application Access Token: Steals OTPs from victims.
- Discovery (T1426) β System Information Discovery: Collects device information such as androidID.
- Collection (T1417.002) β Input Capture: GUI Input Capture: Gathers UI information.
- Collection (T1636.003) β Protected User Data: Contact List: Exfiltrates deviceβs contact list.
- Collection (T1636.004) β Protected User Data: SMS Messages: Captures incoming OTP SMS messages.
- Command and Control (T1637) β Dynamic Resolution: Receives dynamic payloads from the server.
- Command and Control (T1481.002) β Web Service: Bidirectional Communication: Uses websockets for server communication.
- Exfiltration (T1639.001) β Exfiltration Over Alternative Protocol: Transfers stolen credentials through non-C2 protocols.
- Impact (T1516) β Input Injection: Uses overlays to mimic banking apps and steal credentials.
- Impact (T1582) β SMS Control: Reads and sends SMS messages.
Indicator of Compromise :
- No IoCs Found
Full Story: https://zimperium.com/blog/mobile-indian-cyber-heist-fatboypanel-and-his-massive-data-breach