A coordinated cyberattack targeting Indian bank users has been uncovered, exposing the personal and financial data of approximately 50,000 individuals.
Researchers at Zimperium zLabs identified nearly 900 malware samples in a campaign designed to steal Aadhaar and PAN card details, ATM PINs, and mobile banking credentials.
The malware primarily targets Android devices and is distributed through WhatsApp as APK files disguised as legitimate banking or government applications.
Data Exposure
Once installed, the malicious apps trick users into providing sensitive information by mimicking official interfaces.
The malware also exploits SMS permissions to intercept one-time passwords (OTPs), enabling unauthorized transactions.
In a significant deviation from traditional methods, the campaign uses live phone numbers to redirect intercepted SMS messages, creating a traceable trail for investigators.
Over 1,000 phone numbers linked to this operation have been identified and shared with authorities.
The attackers also utilized Firebase storage buckets to exfiltrate stolen data.
Researchers discovered 222 unsecured Firebase endpoints containing 2.5GB of sensitive information, including bank details, SMS messages, and government-issued identification documents.
This exposed data was publicly accessible due to a lack of authentication measures on the endpoints.
The malware employs advanced techniques such as code obfuscation and packing to evade detection.
It also hides its icon post-installation, making it difficult for users to identify or uninstall the malicious app.
Three distinct variants of the malware have been identified:
- SMS Forwarding: Redirects stolen messages to attacker-controlled phone numbers.
- Firebase Exfiltration: Sends data to Firebase servers acting as command-and-control (C2) endpoints.
- Hybrid Variant: Combines both methods for maximum efficiency.
Impersonated Banks
The campaign impersonates major Indian banks such as ICICI Bank, State Bank of India (SBI), Punjab National Bank (PNB), and RBL Bank to increase its reach.
Zimperium analysis revealed that most attacker-controlled phone numbers were registered in West Bengal, Bihar, and Jharkhand, accounting for 63% of the total.
The increasing reliance on digital payments in India has made mobile devices a prime target for financial fraud.
Threat actors are leveraging stolen credentials not only for unauthorized transactions but also for identity theft and other financially motivated crimes.
To mitigate risks:
- Users should avoid downloading APK files from unverified sources and remain cautious of unsolicited messages requesting personal information.
- Banks and financial institutions must strengthen their security systems.
- Authorities should enhance monitoring mechanisms for unauthorized data access points like Firebase endpoints.
This incident underscores the urgent need for heightened cybersecurity measures in India’s rapidly digitizing financial ecosystem.
