Massive Indian Mobile Banking Heist Uncovered: FatBoyPanel’s Trojan Network Exposes 50,000 Users’ Data

The zLabs research team has uncovered a large-scale mobile banking malware operation targeting users of Indian financial institutions. The campaign, composed of nearly 900 distinct malware samples, has compromised sensitive financial and personal data of an estimated 50,000 users, marking one of the most extensive breaches in India’s mobile banking history.

This operation, orchestrated by a threat actor dubbed FatBoyPanel, showcases an alarming evolution in Android banking Trojans, utilizing novel SMS interception techniques and Firebase misconfigurations to siphon vast amounts of sensitive information.

According to zLabs, the threat actors behind this campaign employed deceptive Android Package (APK) files distributed via WhatsApp, masquerading as legitimate government or banking applications. Once installed, these apps coax victims into surrendering highly sensitive details, including:

• Aadhar Card (equivalent to a Social Security Number)
• PAN Card (tax-linked identification for bank transactions)
• Credit and debit card credentials
• ATM PINs and mobile banking login details

Unlike conventional banking Trojans that rely solely on command-and-control (C&C) servers for OTP theft, this malware employs a live phone number redirection strategy, allowing attackers to intercept OTP messages in real time.

“This malware campaign leverages live phone numbers to redirect SMS messages, leaving a traceable digital trail for law enforcement agencies to track the threat actors,” the report states.

Investigators identified approximately 1,000 phone numbers linked to the campaign, with a majority registered in West Bengal, Bihar, and Jharkhand—states accounting for nearly 63% of all identified numbers used in the operation.

One of the most alarming discoveries in the investigation was the misconfiguration of Firebase storage buckets, exposing 2.5GB of stolen data. This trove of information included:

• SMS messages from Indian banks
• Bank account details
• Credit and debit card information
• Government-issued identification documents

Due to a lack of authentication or access control on these Firebase endpoints, the stolen data was publicly accessible, making it an open treasure trove for cybercriminals.

“Analysis of the Firebase endpoints revealed that all data exfiltrated from the victim’s devices was openly accessible to anyone, as the endpoint lacked any authentication or authorization mechanisms,” the report reveals.

Furthermore, leaked C&C server dashboard credentials were discovered within the exposed data, allowing unauthorized access to the attackers’ administrative panels. The presence of an “Admin WhatsApp” button within the dashboard suggests a multi-user cybercriminal ecosystem, where multiple operatives coordinate through a single interface.

The FatBoyPanel malware exhibits a multi-faceted attack strategy, with three identified variants:

1. SMS Forwarding Variant – Captures and forwards stolen SMS messages to an attacker-controlled phone number.
2. Firebase-Exfiltration Variant – Sends stolen SMS data to a Firebase endpoint acting as a C&C server.
3. Hybrid Variant – Utilizes both techniques, forwarding messages to a phone number while simultaneously exfiltrating data via Firebase.

To evade detection, the malware employs code obfuscation and packing techniques, rendering reverse engineering significantly more challenging. Additionally, it deploys stealth persistence mechanisms, hiding its app icon and resisting uninstallation.

The malware campaign heavily relies on phishing-based impersonation, exploiting trust in well-known financial institutions. Analysis of app icons within the malware samples revealed a highly targeted approach, with several Indian banks and government-backed financial schemes being imitated.

“Threat actors capitalized on the credibility and trust of banks and government agencies to increase its reach and distribution within India,” the report highlights.

This campaign is yet another example of how India’s rapid shift to digital banking has fueled the rise of sophisticated mobile-based financial fraud. With OTP-based authentication still being a primary security measure for banking transactions, threat actors are innovating ways to intercept and exploit these codes to drain victims’ accounts.

Related Posts:

• Misconfigured Firebase backends cause massive application-sensitive data leaks
• New Phishing Scam Targets Android Users in India, Researchers Warn
• Facebook have been collecting call logs and SMS metadata for several years

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts