Since 2021, India has faced an ongoing cyber threat involving Android malware specifically targeting bank customers. Threat actors initially distributed this malware through SMS messages containing phishing links, which directed users to download malicious Android applications. Themes such as credit card reward points and KYC updates were used initially to entice victims.
In 2021, Cyble Research and Intelligence Labs (CRIL) highlighted this campaign, which specifically targeted users of major Indian banks using an Android infostealer. Recently, we have observed a rise in this phishing campaign. Threat actors have expanded their tactics beyond the reward points, and KYC update themes to include themes related to utility bill payments and government schemes. Notably, there has been a shift from sending phishing messages via SMS to using WhatsApp messages in this campaign.
Figure 1 – Phishing messages impersonating Indian banks distributed via WhatsApp
Figure 2 – Fake government scheme APKs being distributed via WhatsApp
Figure 3 – Gas and electricity bill phishing messages
During our analysis of the applications associated with this campaign, we discovered a Command and Control (C&C) server, “hxxps://sallu[.]info”, which hosts an admin panel. On this admin panel, we found a WhatsApp number, “9238022687”, listed for support related to links, APKs, and UPI panel assistance. We suspect that the threat actor may be utilizing a Malware-as-a-Service (MaaS) model offered by certain cybercriminals.
Figure 4 – Admin panel displaying WhatsApp number for support
We discovered other similar admin panels associated with this campaign displaying the same message. In March 2024, McAfee also noted that this campaign was using Malware-as-a-Service(MaaS) provided by ELVIA INFOTECH.
Figure 5 – More C&C server hosting admin panel
Threat actors have been observed deploying new malware strains that do not utilize launcher activities. Examination of the manifest file reveals the absence of a launcher activity, which prevents the app icon from appearing on the app drawer. This makes it difficult for the victim to identify and uninstall the malware.
Figure 6 – Launcher activity missing
After the user installs the application, they are given the option to open it. Upon opening, the malware prompts the user to grant permission to send and receive SMS messages. Once the victim grants these permissions, the malware displays a phishing screen displaying a fake login page of major Indian Banks.
Figure 7 – Malware prompting permissions and loading fake login screen
Since the beginning of 2024, Indian citizens have been receiving phishing messages on WhatsApp that impersonate the Regional Transport Office (RTO), a governmental organization in India responsible for vehicle registration, driver licensing, and other transport-related matters.
Figure 8 – Phishing messages impersonating the RTO
The phishing messages, sent via WhatsApp, masqueraded as official notices from regional RTOs, alleging violations of traffic rules against the users’ vehicles. They included an APK file named “VAHAN PARIVAHAN.apk,” purportedly for viewing the “challan”, which is a regional term that refers to an official document or receipt. These messages featured regional RTO logos in their profile pictures, enticing victims to download the malicious application.
The malware from this campaign also lacks a launcher activity. Unlike previous malware, it does not use a phishing screen mimicking any Indian banks. Instead, this application runs in the background to send SMS messages from the infected device and collect SMS messages and contact lists.
Once the user installs and opens the application, the malware prompts the victim to grant permissions for SMS and contact access.
Figure 9 – Permissions prompted by the VAHAN PARIVAHAN app
In the main activity, the malware loads a blank screen into the WebView and prompts the user to designate the “VAHAN PARIVAHAN” application as the default SMS application. Concurrently, the malware sends device information, including the model number, version number, battery status, carrier name, and other relevant details, along with the contact list from the infected device, to a Telegram bot URL: hxxps://api[.]telegram.org/bot7487929666: AAHotf1RHqgk6W0WbFjXywI458I9r9CmxiM/sendDocument.
Figure 10 – Collecting device information
Figure 11 – Collecting contacts and sending stolen information to the Telegram Bot
After gathering data and obtaining necessary permissions, the malware initiates a background service that connects to the Firebase URL “hxxps://numnumfour-default-rtdb.firebaseio[.]com/-1002221216537/.json”.
The service retrieves data from the Firebase URL, including lists of phone numbers and text messages. Subsequently, the malware uses the received text to send SMS messages from the infected device to the phone numbers obtained from the Firebase server.
Figure 12 – Sending messages from the infected device
When we accessed the Firebase URL, we observed the JSON response, which included Indian phone numbers and random text, as depicted in the figure below.
Figure 13 – Firebase URL JSON response
However, a similar URL, “hxxps://hookuptolookup-default-rtdb[.]firebaseio.com/-1002118750305/.json” was identified. This URL also manages data containing phone numbers and text. Other applications within the same campaign utilize this URL. The figure below illustrates the data present in the JSON file fetched from Firebase.
Figure 14 – Text and number data present in .json
As indicated in Figure 13 under ID 11357, the text message begins with “SIMPL,” suggesting it is related to the verification process of the Simpl app. Simpl is a Buy Now, Pay Later (BNPL) app in India that allows the user to make online purchases. When a user attempts to register for the Simpl application using their mobile number, the app sends an SMS containing a verification code that starts with “SIMPL.”
Figure 15 – Simpl app’s number verification message
In December 2022, CRIL identified several techniques used by threat actors to commit financial fraud using UPI. One such technique involved sending verification messages from the victim’s device, enabling the threat actors to successfully verify the UPI app on their own device. We suspect that the threat actors in this campaign are attempting to employ the same tactic.
Since 2021, India has faced persistent cyber threats targeting bank customers through advanced Android malware campaigns. Initially spread via SMS with themes like credit card rewards and KYC updates, these attacks now include utility bill payments and government schemes distributed through WhatsApp. Using Malware-as-a-Service (MaaS) and hiding launcher activities have made detection difficult.
This new phishing campaign impersonates the Regional Transport Office (RTO), using a malicious APK to send SMSs from victims’ devices. This enables threat actors to verify payment applications via SMS. This ongoing threat underscores the need for increased vigilance, user awareness, and robust cybersecurity measures to defend against these sophisticated attacks.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Tactic | Technique ID | Procedure |
Defense Evasion (TA0030) | Masquerading: Match Legitimate Name or Location (T1655.001) | Malware pretending to be Indian banking applications or government entity |
Persistence (TA0028) | Event-Triggered Execution: Broadcast Receivers (T1624.001) | Malware has implemented an SMS broadcast receiver to fetch incoming SMS |
Discovery (TA0032) | System Information Discovery (T1426) | The malware collects basic device information. |
Defense evasion (TA0030) | Hide Artifacts: Suppress Application Icon (T1628.001) | Malware does not have launcher activity enabling it to hide icon |
Collection (TA0035) | Protected User Data: Contact List (T1636.003) | The malware collects contacts from the infected device |
Collection (TA0035) | Protected User Data: SMS Messages (T1636.004) |
Steals SMSs from the infected device |
Command and Control (TA0037) | Application Layer Protocol (T1437) | Application using Firebase URL |
Exfiltration (TA0036) | Exfiltration Over C2 Channel (T1646) | Sending exfiltrated data over C&C server |
Indicators | Indicator Type | Description |
31e92f014c1e64fad475fb3eade116c19464a6978159de55c59e3189a67eb979 e0190113fc10e743b1f0862d498ab5c41d5bd242 961ede4f131f3a7322863ef99cc446b5 |
SHA256 SHA1 MD5 |
VAHAN PARIVAHAN malicious application |
hxxps://numnumfour-default-rtdb[.]firebaseio.com/ | URL | Firebase URL to get mobile number and text message |
hxxps://api[.]telegram.org/bot7487929666:AAHotf1RHqgk6W0WbFjXywI458I9r9CmxiM | URL | Telegram bot URL used to send data |
3d2e8bd0b83a48c89e44c6e9dea76f803460484517d193bfc114f20170e4baba 634ff3c0a3346935b1ec4d0fe32fedd7fa0c4b5e 41450833c1eb6512843b2beb27e121c1 |
SHA256 SHA1 MD5 |
Reward campaign file with no launcher activity |
api[.]warnert.online sallu[.]info |
Domain | C&C server |