Mobile Indian cyber heist: FatBoyPanel and his massive data breach
The zLabs research team has discovered a mobile malware campaign consisting of almost 900 malware samples primarily targeting users of Indian banks. Analysis of the collected samples reveals shared code structures, user interface elements, and app logos, suggesting a coordinated effort by a single threat actor targeting mobile devices running the Android OS. Zimperium’s dynamic, on-device detection engine successfully detected multiple instances of this malware, categorizing them as Trojan Bankers specifically designed to target financial institutions in India.
Unlike conventional banking Trojans that rely solely on command-and-control (C&C) servers for one-time password (OTP) theft, this malware campaign leverages live phone numbers to redirect SMS messages, leaving a traceable digital trail for law enforcement agencies to track the threat actors behind this campaign. Our team identified approximately 1,000 phone numbers used in this campaign, which will be shared with authorities upon request.
Furthermore, our researchers discovered over 222 publicly accessible Firebase storage buckets containing 2.5GB of sensitive data, including SMS messages from Indian banks, bank details, card details, and government-issued identification details. This exposure comprises an estimated 50,000 users, demonstrating the campaign’s extensive reach and severity.
Modus Operandi
The malware is distributed through WhatsApp as APK files masquerading as legitimate government or banking applications. Once installed, these apps deceive users into disclosing sensitive financial and personal details, such as:
Aadhar Card (equivalent to a Social Security Number)
PAN Card (used for taxation and bank linking)
Credit and debit card information
ATM PINs and mobile banking credentials
The malware exploits SMS permissions to intercept and exfiltrate messages, including OTP’s, facilitating unauthorized transactions. Additionally, it employs stealth techniques to hide its icon and resist uninstallation, ensuring persistence on the compromised devices.

Technical Analysis
According to our research, this banker malware family has three distinct variants
SMS Forwarding: Captures and forwards stolen SMS messages to an attacker-controlled phone number.
Firebase-Exfiltration: Exfiltrates stolen SMS messages to a Firebase endpoint, which acts as a command-and-control server.
Hybrid: Combines both techniques, forwarding stolen SMS messages to a phone number and a Firebase endpoint.
Over 1,000 malicious applications linked to this malicious campaign have been collected and analyzed. These malicious applications utilize code obfuscation and packing techniques to evade detection and make reverse engineering difficult. Hardcoded phone numbers, discovered within certain variants of the apps, serve as exfiltration points for OTPs and SMS messages, suggesting that these numbers are either directly controlled by the attackers or belong to compromised individuals under their control.


The variants that exfiltrated data to Firebase exposed personal information to the public by sending it to an unsecured, publicly accessible endpoint.
Firebase Endpoint & Dashboard Observations
Analysis of the Firebase endpoints revealed that all data exfiltrated from the victim’s devices was openly accessible to anyone, as the endpoint lacked any authentication or authorization mechanisms.
The JSON data retrieved from these endpoints exposed critical administrator details, including: Credentials for the C&C platform used to collect and manage stolen data.
The phone number designated for SMS exfiltration (if not hardcoded in the malware itself).

The leaked credentials allowed unauthorized access to the administrative dashboard used by the attackers to set the configurations and show all the stolen data.

The dashboard featured an “Admin Whatsapp” button at the bottom. This button opens a WhatsApp web or app window, displaying the admin’s phone number. This suggests a multi-user environment where multiple threat actors can operate the dashboard and easily contact the admin for assistance directly from within the dashboard.
Attacker’s SIM-Location Analysis
Analyzing phone numbers embedded in the malware, our researchers traced their registrations to specific regions in India. The majority of these phone numbers were linked to be registered in West Bengal, Bihar, and Jharkhand, collectively accounting for approximately 63% of the total.
Exfiltrated Messages Distribution
The vast majority of exposed data consists of SMS messages. Our team analyzed the exfiltrated messages to identify bank-originated SMS and their distribution across the different banks.
Banks Targeted in the Campaign
Threat actors capitalized on the credibility and trust of banks and government agencies to increase its reach and distribution within India. By analyzing the app icons used by different samples, we identified the most commonly impersonated financial entities.
The proliferation of digital payments in India has led to an increase in mobile-based financial fraud. Given that OTP’s remain a critical authentication mechanism, threat actors are increasingly deploying SMS-stealing malware to bypass this security layer. By combining credential theft, SMS interception and phishing techniques, these actors can execute unauthorized transactions and drain victims’ bank accounts via their mobile devices.
Zimperium vs. FatBoyPanel
To effectively safeguard employees and customers from advanced malware threats, enterprises must deploy proactive and robust security solutions that protect both employee devices and customer-facing mobile applications. Zimperium is uniquely positioned to defend against these threats with its industry-leading on-device detection capabilities and comprehensive Mobile Application Protection Suite (MAPS).
Zimperium’s Mobile Threat Defense (MTD) solution provides real-time, on-device protection against sophisticated malware, phishing attempts, and unauthorized access. By leveraging advanced machine learning and behavioral analysis directly on the device, MTD ensures employees can work securely without relying on cloud-based detection, thereby reducing response times and preserving user privacy. This proactive defense helps enterprises protect sensitive data, secure their workforce, and maintain business continuity.
Additionally, Zimperium’s MAPS secures internally developed mobile applications against reverse engineering, tampering, and unauthorized access. By embedding advanced security controls directly into the app, MAPS ensures mobile applications remain protected from exploitation both in app stores and on end-user devices. This prevents costly breaches, enhances regulatory compliance, and reinforces customer trust in digital banking and financial services.
Powered by Zimperium’s proprietary On-Device Dynamic Detection Engine, both MTD and MAPS solutions utilize cutting-edge machine learning, deterministic detection, and behavioral analysis to deliver unparalleled threat visibility and continuous protection. Unlike traditional cloud-dependent solutions, Zimperium’s on-device approach enables enterprises to detect and neutralize even the most advanced, zero-day threats without compromising user privacy or application performance.
The effectiveness of Zimperium’s technology is underscored by its ability to detect and mitigate all malware samples and malicious URLs identified in this research, proving its unmatched capability in protecting mobile-first enterprises against evolving cyber threats.
MITRE ATT&CK Techniques
To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference.
Tactic | ID | Name | Description |
Initial Access | T1660 | Phishing | Adversaries send malicious content to users in order to gain access to their device. |
Persistence | T1624.001 | Event Triggered Execution: Broadcast Receivers | It creates a broadcast receiver to receive SMS events and outgoing calls. |
Credential Access | T1417.002 | Input Capture: GUI Input Capture | It is able to get the shown UI. |
T1635 | Steal Application Access Token | It steals OTPs. | |
Discovery | T1426 | System Information Discovery | It gets info about the device as the androidID. |
Collection | T1417.002 | Input Capture: GUI Input Capture | It is able to get the shown UI. |
T1636.003 | Protected User Data: Contact List | It exports the device’s contacts. | |
T1636.004 | Protected User Data: SMS Messages | It exfiltrates all the incoming OTP SMS messages. | |
Command and Control | T1637 | Dynamic Resolution | It receives the injected HTML payload endpoint dynamically from the server. |
T1481.002 | Web Service: Bidirectional Communication | It uses websocket communication to poll the TA’s server and get the commands to execute. | |
Exfiltration | T1639.001 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol | The stolen credentials are sent to a different C2. |
Impact | T1516 | Input Injection | It displays inject payloads like pattern lock and mimics banking apps login screen through overlay and steal credentials. |
T1582 | SMS Control | It can read and send SMS. |
Indicators of Compromise
The IOCs for this campaign can be found here.
SOURCE: zimperium