SikkahBot is an Android malware active since July 2024 that impersonates the Bangladesh Education Board to phish students, harvest personal and payment data, and gain high-risk permissions to perform automated banking fraud. It intercepts bank-related SMS, abuses Accessibility Service and USSD flows to execute unauthorized transactions and communicates with Firebase-based C2 servers. #SikkahBot #BKash
Keypoints
- SikkahBot impersonates the Bangladesh Education Board and lures students with fake scholarship apps distributed via shortened links and malicious APK download sites.
- Upon installation the app collects personal details and payment information (wallet number, PIN, payment type) through phishing-style forms.
- The malware requests and abuses high-risk permissions including Accessibility Service, SMS access, call management, and overlay permissions to gain deep control of infected devices.
- SikkahBot registers an SMS broadcast receiver to capture bank-related SMS messages (e.g., bKash, NAGAD) and forwards them to attacker-controlled Firebase endpoints.
- It exploits Accessibility Service to autofill PINs in targeted banking apps (bKash, Nagad, Dutch-Bangla Bank) using PINs retrieved from Firebase and executes automated USSD-based transactions when bank apps are not in use.
- The campaign uses Firebase-hosted C2/exfiltration endpoints (update-app-sujon-default-rtdb[.]firebaseio[.]com and others) and maintains low detection on VirusTotal across multiple samples.
- Newer variants show enhanced automation and continued development, raising the threat for identity theft and financial fraud against students in Bangladesh.
MITRE Techniques
- [T1660] Phishing – Malware is distributed via phishing sites and shortened links that redirect to malicious APK download URLs: ‘distributed via short links that redirect victims to malicious download URLs, which we suspect are being circulated via smishing attacks.’
- [T1655.001] Masquerading: Match Legitimate Name or Location – Malware pretends to be legitimate Bangladesh Education Board applications to deceive students: ‘SikkahBot… poses as the Bangladesh Education Board to harvest banking information.’
- [T1516] Input Injection – Malware mimics user interaction to perform clicks, input data, and autofill fields via Accessibility Service to automate transactions: ‘Malware can mimic user interaction, perform clicks and various gestures, and input data.’
- [T1636.004] Protected User Data: SMS Messages – Registers an SMSBroadcast receiver to monitor and collect incoming SMS messages containing bank keywords and forwards them to attacker servers: ‘If an incoming SMS contains any of these keywords, the message is captured and forwarded to the attacker’s server.’
- [T1437.001] Application Layer Protocol: Web Protocols – Uses Firebase web endpoints (FCM/Realtime DB) for command-and-control and retrieving transaction data: ‘It retrieves a PIN from the Firebase server… forwarded to the attacker’s server at hxxps://update-app-sujon-default-rtdb[.]firebaseio.com.’
- [T1646] Exfiltration Over C2 Channel – Exfiltrates collected SMS and possibly other data over the malware’s C2 channels hosted on Firebase: ‘the message is captured and forwarded to the attacker’s server…’
Indicators of Compromise
- [URL] Malicious download URLs and APKs – hxxps://downloadapp[.]website/tyup[.]apk, hxxps://appsloads[.]top/govt[.]apk
- [URL shorteners] Shortened distribution links used in the campaign – hxxps://bit[.]ly/Sikkahbord, hxxps://bit[.]ly/Education-2025
- [SHA256] Malicious APK file hashes – a808219e6f4b5f8fb42635e070174d43d5a9314c1b45dcc3434ee106582bbdf8, c75aa842bdd107cc6483b4a119cf4b008abc745dcd04f06e39e60579798d7581 (and many more hashes)
- [URL] Attacker Firebase C2 endpoints – hxxps://update-app-sujon-default-rtdb[.]firebaseio[.]com, hxxps://smsrecived-3d4ed-default-rtdb[.]firebaseio[.]com
Read more: https://cyble.com/blog/sikkahbot-malware-defrauds-students-in-bangladesh/