Fraudulent Scholarship Apps: A New Malware Campaign Targets Students in Bangladesh

Cyble Research and Intelligence Labs (CRIL) has uncovered a new Android malware campaign dubbed SikkahBot, which has been active since July 2024 and is specifically targeting students in Bangladesh. Disguised as official Bangladesh Education Board scholarship apps, the malware harvests sensitive financial data and automates fraudulent banking transactions.

According to CRIL, “SikkahBot targets Bangladesh explicitly by impersonating the Bangladesh Education Board to distribute fraudulent scholarship apps.” These malicious applications are distributed via shortened links, often spread through smishing attacks, and redirect unsuspecting victims to rogue APK download sites.

Upon installation, victims are prompted to log in using Google or Facebook before being coerced into providing personal information such as their name, department, and institute. The malware then requests payment details including wallet number, PIN, and payment type. CRIL notes, “Once this data is provided, the user receives a message stating that a representative will contact them soon.”

SikkahBot’s power lies in its aggressive permissions abuse. After collecting credentials, it requests access to the Accessibility Service, SMS, call management, and overlay permissions. These privileges allow it to monitor user activity, intercept communications, and manipulate on-screen elements.

The report emphasizes: “Victims are coerced into granting high-risk permissions, such as Accessibility Service, SMS access, call management, and overlay permissions, which enable deep device control.”

Once permissions are granted, SikkahBot registers an SMS listener to capture incoming texts related to financial services. “It maintains a list of keywords that include bank names such as ‘bKash,’ ‘NAGAD,’ and ‘MYGP,’ along with specific numbers like ‘16216,’ ‘26969,’ and others,” CRIL explains . Captured SMS messages are exfiltrated to a Firebase server controlled by the attackers.

Beyond SMS theft, the malware exploits Accessibility Services to automate logins for three major Bangladeshi banking apps: bKash, Nagad, and Dutch-Bangla Bank. CRIL states, “When it detects that the user is interacting with any of these apps, it retrieves a PIN from the Firebase server. It attempts to automatically enter it into the login fields, bypassing user input.”

If no targeted apps are in use, SikkahBot falls back to executing USSD-based transactions—a technique that allows financial fraud even without internet access. The malware receives USSD codes and SIM details from its C2 server, then automatically completes the transaction dialogs.

Since its discovery, CRIL has observed multiple variants of SikkahBot with enhanced automation features. Alarmingly, “although SikkahBot has been active since July 2024, both recent and older variants remain largely undetected on VirusTotal.”

This low detection rate, coupled with rapid iteration, highlights the persistence and sophistication of the operators behind the campaign.

The emergence of SikkahBot demonstrates how threat actors are weaponizing trust in official institutions to prey on vulnerable demographics—in this case, students seeking scholarships. By combining phishing, SMS interception, Accessibility Service abuse, and USSD automation, the malware has become a potent tool for financial fraud in Bangladesh.

As CRIL concludes: “The SikkahBot Android malware we identified targeting Bangladesh users leverages phishing, SMS interception, Accessibility Service abuse, and offline USSD automation to execute unauthorized transactions.”

Users in Bangladesh are urged to avoid downloading APKs from unofficial links and ensure their devices have strong mobile security protections in place.

Related Posts:

• Philippine Central Bank Warns Local Financial Institutions of “Hacker Attack on Malaysian Central Bank SWIFT System”
• APT Detection Evolves: LogShield Leverages Machine Learning for Defense
• New Phishing Scam Targets Android Users in India, Researchers Warn