Authored by Dexter Shin
Over the years, cyber threats focusing on Android units have turn into extra subtle and protracted. Recently, McAfee Mobile Research Team found a brand new Android banking trojan focusing on Indian customers. This malware disguises itself as important providers, resembling utility (e.g., fuel or electrical energy) or banking apps, to get delicate info from customers. These sorts of providers are very important for day by day life, making it simpler to lure customers. We have beforehand noticed malware that masquerades as utility providers in Japan. As seen in such circumstances, utility-related messages, resembling warnings that fuel service will disconnect quickly except the invoice is checked, may cause vital alarm and immediate fast motion from the customers.
We have recognized that this malware has contaminated 419 units, intercepted 4,918 SMS messages, and stolen 623 entries of card or bank-related private info. Given the lively malware campaigns, these numbers are anticipated to rise. McAfee Mobile Security already detects this risk as Android/Banker. For extra info, go to McAfee Mobile Security
Phishing by way of messaging platforms like WhatsApp
As of 2024, India is the nation with the best variety of month-to-month lively WhatsApp customers. This makes it a first-rate goal for phishing assaults. We’ve beforehand launched one other Banker distributed through WhatsApp. Similarly, we suspect that the pattern we not too long ago discovered additionally makes use of messaging platforms to achieve particular person customers and trick them into putting in a malicious APK. If a consumer installs this APK, it should permit attackers to steal the sufferer’s monetary knowledge, thereby engaging in their malicious objective.
Figure 1. Scammer messages reaching customers through Whatsapp (supply: reddit)
Inside the malware
The malware we first recognized was pretending to be an app that allowed customers to pay their fuel payments. It used the brand of PayRup, a digital cost platform for public service charges in India, to make it look extra reliable to customers.
Figure 2. Malware disguised as fuel payments digital cost app
Once the app is launched and the permissions, that are designed to steal private knowledge resembling SMS messages, are granted, it asks the consumer for monetary info, resembling card particulars or checking account info. Since this malware pretends to be an app for paying payments, customers are more likely to enter this info to finish their funds. On the financial institution web page, you possibly can see main Indian banks like SBI and Axis Bank listed as choices.
Figure 3. Malware that requires monetary knowledge
If the consumer inputs their monetary info and tries to make a cost, the information is shipped to the command and management (C2) server. Meanwhile, the app shows a cost failure message to the consumer.
Figure 4. Payment failure message displayed however knowledge despatched to C2 server
One factor to notice about this app is that it might probably’t be launched immediately by the consumer by way of the launcher. For an Android app to look within the launcher, it must have “android.intent.category.LAUNCHER” outlined inside an
Figure 5. AndroidManifest.xml for the pattern
Exploiting Supabase for knowledge exfiltration
In earlier stories, we’ve launched numerous C2 servers utilized by malware. However, this malware stands out as a consequence of its distinctive use of Supabase, an open-source database service. Supabase is an open-source backend-as-a-service, just like Firebase, that gives PostgreSQL-based database, authentication, real-time options, and storage. It helps builders rapidly construct purposes with out managing backend infrastructure. Also, it helps RESTful APIs to handle their database. This malware exploits these APIs to retailer stolen knowledge.
Figure 6. App code utilizing Supabase
A JWT (JSON Web Token) is required to make the most of Supabase by way of its RESTful APIs. Interestingly, the JWT token is uncovered in plain textual content inside the malware’s code. This supplied us with a singular alternative to additional examine the extent of the information breach. By leveraging this token, we have been capable of entry the Supabase occasion utilized by the malware and achieve beneficial insights into the dimensions and nature of the information exfiltration.
Figure 7. JWT token uncovered in plaintext
During our investigation, we found a complete of 5,558 information saved within the database. The first of those information was dated October 9, 2024. As beforehand talked about, these information embody 4,918 SMS messages and 623 entries of card info (quantity, expiration date, CVV) and financial institution info (account numbers, login credentials like ID and password).
Figure 8. Examples of stolen knowledge
Uncovering variants by package deal prefix
The preliminary pattern we discovered had the package deal title “gs_5.customer”. Through investigation of their database, we recognized 8 distinctive package deal prefixes. These prefixes present vital clues concerning the potential rip-off themes related to every package deal. By inspecting the package deal names, we will infer particular traits and sure focus areas of the varied rip-off operations.
Package Name | Scam Thema |
ax_17.buyer | Axis Bank |
gs_5.buyer | Gas Bills |
elect_5.buyer | Electrical Bills |
icici_47.buyer | ICICI Bank |
jk_2.buyer | J&Okay Bank |
kt_3.buyer | Karnataka Bank |
pnb_5.buyer | Punjab National Bank |
ur_18.buyer | Uttar Pradesh Co-Operative Bank |
Based on the package deal names, evidently as soon as a rip-off theme is chosen, not less than 2 completely different variants are developed inside that theme. This variability not solely complicates detection efforts but additionally will increase the potential attain and influence of their rip-off campaigns.
Mobile app administration of C2
Based on the data uncovered to this point, we discovered that the malware actor has developed and is actively utilizing an app to handle the C2 infrastructure immediately from a tool. This app can ship instructions to ahead SMS messages from the sufferer’s lively telephones to specified numbers. This functionality differentiates it from earlier malware, which usually manages C2 servers through net interfaces. The app shops numerous configuration settings by way of Firebase. Notably, it makes use of Firebase “Realtime Database” quite than Firestore, doubtless as a consequence of its simplicity for fundamental knowledge retrieval and storage.
Figure 9. C2 administration cell software
Conclusion
Based on our analysis, we have now confirmed that 419 distinctive units have already been contaminated. However, contemplating the continuous growth and distribution of recent variants, we anticipate that this quantity will steadily improve. This pattern underscores the persistent and evolving nature of this risk, emphasizing the necessity for cautious statement and versatile safety methods.
As talked about initially of the report, many scams originate from messaging platforms like WhatsApp. Therefore, it’s essential to stay cautious when receiving messages from unknown or unsure sources. Additionally, given the clear emergence of assorted variants, we advocate utilizing safety software program that may rapidly reply to new threats. Furthermore, by using McAfee Mobile Security, you possibly can bolster your protection in opposition to such subtle threats.
Indicators of Compromise (IOCs)
APKs:
SHA256 | Package Name | App Name |
b7209653e226c798ca29343912cf21f22b7deea4876a8cadb88803541988e941 | gs_5.buyer | Gas Bill Update |
7cf38f25c22d08b863e97fd1126b7af1ef0fcc4ca5f46c2384610267c5e61e99 | ax_17.buyer | Client Application |
745f32ef020ab34fdab70dfb27d8a975b03e030f951a9f57690200ce134922b8 | ax_17.quantity | Controller Application |
Domains:
- https[://]luyagyrvyytczgjxwhuv.supabase.co
Firebase:
- https[://]call-forwarder-1-default-rtdb.firebaseio.com