Threat Actors (TAs) use or create Malware to compromise or harm users through various malicious activities. Spyware is one such example. In this instance, we observed TAs utilizing spyware to steal sensitive data from infected devices – this data could include financial and personal information.
This report will focus on two such malicious applications that TAs use to target the customers of major Indian banks. Through these malicious applications, TAs attempt to trick the users into installing their malware by disguising them as legitimate bank-related applications. They rely on having similar name and icon of the official banking apps.
Cyble Research Labs came across Twitter posts where other researchers have also posted about this type of Android malware.
During our analysis, we observed that these malicious applications have application screens similar to the legitimate banking applications which they are trying to impersonate.
Through these fake apps, the malware collects the victim’s banking credentials, credit card details, Personally Identifiable Information (PII) and credentials of the victim’s email accounts. We have analyzed one of these samples.
The figure below demonstrates the flow diagram of the application.
Technical Analysis
The App names given to the spyware are SBI rewards and other names related to a few other major private bank’s apps.
APK Metadata Information
- App Name: SBI rewards
- Package Name: in.sbi.rewards
- SHA256 Hash: e03b9badfdd85992c8c9f79e25d5975d08b550206f7beb561c5983b3ff1f36b8
Figure 2 shows the metadata information of the application.
The below figure shows the application icon and name displayed on the Android device.
The malware requests for Know Your Customer (KYC) documents such as address proof (govt. ID), PAN Card, and user’s selfie as shown in the below figure.
The malware also prompts the user to input their card details as shown below.
The malware displays a fake page to steal email account credentials across various email service providers as shown in the below figure.
Manifest Description
The malware requests the user for 11 different permissions. Out of these, it abuses 5 permissions. The dangerous permissions are listed below.
| Permissions | Description |
| GET_ACCOUNTS | Access accounts details in the device |
| READ_SMS | Access SMSs in the device database (DB). |
| RECEIVE_SMS | Intercept SMSs received on the victim’s device |
| READ_CALL_LOG | Access Call Logs |
| MODIFY_AUDIO_SETTINGS | Modify audio settings |
The list of permissions the malware requests in the manifest file is given below.
The below figure shows the launcher activity of the malware.
Malware Behaviour
During our analysis, we observed that the application collects financial and personal information from the victim. The malware collects this information by utilizing fake screens, one such screen is shown in Figure 5.
The collected details include:
- SMS data which also includes two-factor authentication codes/OTPs
- Call logs
- Device accounts synced on the device
- Credit/Debit card information such as card number, expiry, CVV, card PIN.
- Personal information such as name, email, DOB, mobile number
- Hardware information such as IMEI number, device’s IP address
- Credentials of email accounts such as Google, Yahoo, Microsoft, etc.
Additionally, the malware also makes modifications to the infected device’s audio settings such as setting the device to silent mode etc.
Code Evidence
From our static analysis, we noticed that the malware is not using obfuscations techniques such as complex class names or encrypted strings. We also observed the spyware behavior during our analysis
The code used to collect SMSs and call logs are given in the screenshots below.
This financial spyware utilizes fake banking applications screens shown in Figure 5. The code to collect Credit/Debit card details is shown below.
In addition to the banking credentials, the spyware is also capable of stealing credentials of the victim’s email accounts such as Google, Yahoo, etc (refer Figure 6) from the infected device by utilizing fake screens. The code to collect and upload these credentials is shown below.
The code snippet highlighter in Figure 13 demonstrates that the malware attempted to put the device in silent mode to avoid the user noticing incoming SMSs.
The spyware collects this information and uploads the data to a Command and Control (C&C) server. The TA controls the malware using commands send from this C&C.
C&C and the commands
The financial spyware utilizes multiple servers for uploading the collected data and also to receive commands from the TA.
The malware uses an open-source library, socket.io to communicate with C&C servers.
The code to send data to the C&C server is given below.
The malware encrypts the data before every upload. The data is encrypted using a combination of AES encryption and Base64 encoding as shown in the code below.
We have listed the commands used by the TA to control the infected device:
| Command | Description |
| all_sms_received | Upload all SMSs received |
| silent | Make the device silent |
| force_calls | Flag to enable/disable call log uploads |
| all_call_received | Upload call logs |
| Force_sms | Flag to enable/disable SMS uploads |
Figure 16 shows the code to check for the commands.
Traffic Analysis
During our traffic analysis, we identified that the malware communicated to a URL: hxxps://testchat8564.herokuapp[.]com/socket.io/?EIO=3&transport=polling that is hosted on a free hosting service as shown in the below figure.
We identified that the malware sends the SMS data to TA’s C&C server hxxp://datasmsalluser[.]in/saver.php as shown in the below figure.
The malware sends the call logs data to TAs C&C server hxxp://datasmsalluser[.]in/savercall.php as shown in Figure 19.
We identified that the malware encrypts the SMS data and sends it to the C&C server hxxps://testchat8564.herokuapp[.]com/socket.io/?EIO=3&sid=v2vV83VUIP8wo08LAAFt&transport=polling as shown in below figure.
Conclusion
These Android Spywares targets customers of major Indian Banks to steal sensitive information such as financial and personal data without the victim’s knowledge. This PII information and stolen credentials can be sold or exchanged in darkweb and deepweb to carry out further activities ranging from targeted attacks to financial fraud.
Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through increasingly sophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into installing them.
Users should thus install applications only after verifying their authenticity. Apps should only be installed exclusively via the official Google Play Store and other trusted portals to avoid such attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | -Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | -Masquerade as Legitimate Application |
| Execution | T1575 | -Native Code |
| Collection | T1433 | -Access Call Log |
| Collection | T1412 | -Capture SMS Messages |
| Command and Control | T1436 | -Commonly Used Port |
| Exfiltration | T1532 | -Data Encrypted |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| e03b9badfdd85992c8c9f79e25d5975d08b550206f7beb561c5983b3ff1f36b8 | SHA256 | Malicious APK |
| f8677fbacd926fca9fb55239d9491573341c1546cd2ec59e5acc49d43bcf1586 | SHA256 | Malicious APK |
| hxxp://datasmsalluser[.]in/saver.php | URL | Uploads device’s SMS to this server |
| hxxp://datasmsalluser[.]in/savercall.php | URL | Uploads device’s CallLogs to this server |
| hxxps://testchat8564.herokuapp[.]com/socket.io/?EIO=3&sid=v2vV83VUIP8wo08LAAFt&transport=polling | URL | Uploads device’s data to this server |
| hxxp://testdata112[.]orgfree.com/data_1.php | URL | C&C used for updating the app |
| hxxps://unsaleable-curls.000webhostapp[.]com/data4.php | URL | C&C used for updating the app |
