The zLabs research team has discovered a mobile malware campaign consisting of almost 900 malware samples primarily targeting users of Indian banks. Analysis of the collected samples reveals shared code structures, user interface elements, and app logos, suggesting a coordinated effort by a single threat actor targeting mobile devices running the Android OS. Zimperium’s dynamic, on-device detection engine successfully detected multiple instances of this malware, categorizing them as Trojan Bankers specifically designed to target financial institutions in India.

Unlike conventional banking Trojans that rely solely on  command-and-control (C&C) servers for one-time password (OTP) theft, this malware campaign leverages live phone numbers to redirect SMS messages, leaving a traceable digital trail for law enforcement agencies to track the threat actors behind this campaign. Our team identified approximately 1,000 phone numbers used in this campaign, which will be shared with authorities upon request.

Furthermore, our researchers discovered over 222 publicly accessible Firebase storage buckets containing 2.5GB of sensitive data, including SMS messages from Indian banks, bank details, card details, and government-issued identification details. This exposure comprises an estimated 50,000 users, demonstrating the campaign’s extensive reach and severity.

Modus Operandi

The malware is distributed through WhatsApp as APK files masquerading as legitimate government or banking applications. Once installed, these apps deceive users into disclosing sensitive financial and personal details, such as:

Aadhar Card (equivalent to a Social Security Number)

PAN Card (used for taxation and bank linking)

Credit and debit card information

ATM PINs and mobile banking credentials

The malware exploits SMS permissions to intercept and exfiltrate messages, including OTP’s, facilitating unauthorized transactions. Additionally, it employs stealth techniques to hide its icon and resist uninstallation, ensuring persistence on the compromised devices. 

Technical Analysis

According to our research, this banker malware family has three distinct variants 

SMS Forwarding: Captures and forwards stolen SMS messages to an attacker-controlled phone number. 

Firebase-Exfiltration: Exfiltrates stolen SMS messages to a Firebase endpoint, which acts as a command-and-control server.

Hybrid: Combines both techniques, forwarding stolen SMS messages to a phone number and a Firebase endpoint.

Over 1,000 malicious applications linked to this malicious campaign have been collected and analyzed. These malicious applications utilize code obfuscation and packing techniques to evade detection and make reverse engineering difficult. Hardcoded phone numbers, discovered within certain variants of the apps, serve as exfiltration points for OTPs and SMS messages, suggesting that these numbers are either directly controlled by the attackers or belong to compromised individuals under their control.

The variants that exfiltrated data to Firebase exposed personal information to the public by sending it to an unsecured, publicly accessible endpoint.

Firebase Endpoint & Dashboard Observations

Analysis of the Firebase endpoints revealed that all data exfiltrated from the victim’s devices was openly accessible to anyone, as the endpoint lacked any authentication or authorization mechanisms.

The JSON data retrieved from these endpoints exposed critical administrator details, including: Credentials for the C&C platform used to collect and manage stolen data.

The phone number designated for SMS exfiltration (if not hardcoded in the malware itself).

The leaked credentials allowed unauthorized access to the administrative dashboard used by the attackers to set the configurations and show all the stolen data.

The dashboard featured an “Admin Whatsapp” button at the bottom. This button opens a WhatsApp web or app window, displaying the admin’s phone number. This suggests a multi-user environment where multiple threat actors can operate the dashboard and easily contact the admin for assistance directly from within the dashboard.

Attacker’s SIM-Location Analysis

Analyzing phone numbers embedded in the malware, our researchers traced their registrations to specific regions in India. The majority of these phone numbers were linked to be registered in West Bengal, Bihar, and Jharkhand, collectively accounting for approximately 63% of the total.

Exfiltrated Messages Distribution

The vast majority of exposed data consists of SMS messages. Our team analyzed the exfiltrated messages to identify bank-originated SMS and their distribution across the different banks. 

Banks Targeted in the Campaign

Threat actors capitalized on the credibility and trust of banks and government agencies to increase its reach and distribution within India. By analyzing the app icons used by different samples, we identified the most commonly impersonated financial entities.

The proliferation of digital payments in India has led to an increase in mobile-based financial fraud. Given that OTP’s remain a critical authentication mechanism, threat actors are increasingly deploying SMS-stealing malware to bypass this security layer. By combining credential theft, SMS interception and phishing techniques, these actors can execute unauthorized transactions and drain victims’ bank accounts via their mobile devices.

Zimperium vs. FatBoyPanel

To effectively safeguard employees and customers from advanced malware threats, enterprises must deploy proactive and robust security solutions that protect both employee devices and customer-facing mobile applications. Zimperium is uniquely positioned to defend against these threats with its industry-leading on-device detection capabilities and comprehensive Mobile Application Protection Suite (MAPS).

Zimperium’s Mobile Threat Defense (MTD) solution provides real-time, on-device protection against sophisticated malware, phishing attempts, and unauthorized access. By leveraging advanced machine learning and behavioral analysis directly on the device, MTD ensures employees can work securely without relying on cloud-based detection, thereby reducing response times and preserving user privacy. This proactive defense helps enterprises protect sensitive data, secure their workforce, and maintain business continuity.

Additionally, Zimperium’s MAPS secures internally developed mobile applications against reverse engineering, tampering, and unauthorized access. By embedding advanced security controls directly into the app, MAPS ensures mobile applications remain protected from exploitation both in app stores and on end-user devices. This prevents costly breaches, enhances regulatory compliance, and reinforces customer trust in digital banking and financial services.

Powered by Zimperium’s proprietary On-Device Dynamic Detection Engine, both MTD and MAPS solutions utilize cutting-edge machine learning, deterministic detection, and behavioral analysis to deliver unparalleled threat visibility and continuous protection. Unlike traditional cloud-dependent solutions, Zimperium’s on-device approach enables enterprises to detect and neutralize even the most advanced, zero-day threats without compromising user privacy or application performance.

The effectiveness of Zimperium’s technology is underscored by its ability to detect and mitigate all malware samples and malicious URLs identified in this research, proving its unmatched capability in protecting mobile-first enterprises against evolving cyber threats.

MITRE ATT&CK Techniques

To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference. 

Tactic	ID	Name	Description
Initial Access	T1660	Phishing	Adversaries send malicious content to users in order to gain access to their device.
Persistence	T1624.001	Event Triggered Execution: Broadcast Receivers	It creates a broadcast receiver to receive SMS events and outgoing calls.
Credential Access	T1417.002	Input Capture: GUI Input Capture	It is able to get the shown UI.
	T1635	Steal Application Access Token	It steals OTPs.
Discovery	T1426	System Information Discovery	It gets info about the device as the androidID.
Collection	T1417.002	Input Capture: GUI Input Capture	It is able to get the shown UI.
	T1636.003	Protected User Data: Contact List	It exports the device’s contacts.
	T1636.004	Protected User Data: SMS Messages	It exfiltrates all the incoming OTP SMS messages.
Command and Control	T1637	Dynamic Resolution	It receives the injected HTML payload endpoint dynamically from the server.
	T1481.002	Web Service: Bidirectional Communication	It uses websocket communication to poll the TA’s server and get the commands to execute.
Exfiltration	T1639.001	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol	The stolen credentials are sent to a different C2.
Impact	T1516	Input Injection	It displays inject payloads like pattern lock and mimics banking apps login screen through overlay and steal credentials.
	T1582	SMS Control	It can read and send SMS.

Indicators of Compromise

The IOCs for this campaign can be found here. 

SOURCE: zimperium