Cybercriminals ramp up their efforts to exploit unsuspecting users through sophisticated phishing campaigns, as evidenced by a recent incident involving a fraudulent message circulated in a WhatsApp group claiming to be from SBI Bank.
Phishing Message Analysis
The message entices potential victims with an urgent alert about reward points amounting to Rs 9980.00, stating that they will expire if not claimed immediately through a purported SBI Bank reward application.
The message contained multiple red flags indicative of phishing:
- Grammatical Errors: The greeting “Dear Value Customer” lacked proper grammar, suggesting a lack of legitimacy.
- Excessive Use of Emojis: The overuse of emojis and peculiar formatting raised further suspicions.
Attached to this message was an Android APK file, labeled as “SBI BANK REWARD App.”

To assess its authenticity and safety, researchers conducted both static and dynamic analysis of the file.
Technical Analysis of Malicious APK
The APK under scrutiny requested a concerning array of permissions often linked to malicious software, such as access to SMS messages, contacts, and storage.
Upon examining the AndroidManifest.xml file, researcher identified several components, including BackgroundService and SmsReceiver, which are frequently utilized by harmful applications to secretly intercept messages or carry out automated tasks without user consent.

Additionally, the file contained hardcoded URLs directing traffic to command-and-control (C2) servers, raising alarms about potential data exfiltration. Notable URLs included:
- https://superherocloud.com
- wss://socket.missyou9.in
It was confirmed that the malware successfully captured sensitive user information, transmitting it back to these designated servers.
Testing the APK in a controlled environment revealed alarming findings. The application established connections to its command-and-control (C2) endpoints immediately after installation. It also utilized phishing screens that closely resembled authentic SBI banking interfaces in an attempt to steal user credentials.The compromised data included:
- Usernames and passwords
- Mobile numbers and account details
- Debit and credit card information, including CVV numbers and PINs
After submitting the APK for analysis on VirusTotal, it was flagged as malicious by 25 out of 67 antivirus engines, underscoring its hazardous nature.
According to the Malware Analysis report, this incident serves as a stark reminder that cybercriminals are employing increasingly sophisticated strategies to deceive users into sharing sensitive information.
The misuse of trusted branding, coupled with a false sense of urgency, makes such phishing attempts exceptionally perilous.
Users must remain vigilant, practicing cybersecurity best practices to protect themselves against these ongoing threats.