Ddos 
C2 management mobile application | Source: McAfee Labs
McAfee Labs has revealed the discovery of a new Android banking trojan targeting Indian users, exploiting the country’s dependence on utility and banking apps to steal sensitive financial information. This sophisticated malware, detected as Android/Banker, has already infected 419 devices, intercepted 4,918 SMS messages, and stolen 623 entries of card and bank-related information, with numbers expected to rise as the campaign evolves.
The malware masquerades as utility and banking apps, tricking users into downloading malicious APKs through phishing campaigns, often spread via platforms like WhatsApp. McAfee explains, “This malware disguises itself as essential services, such as utility (e.g., gas or electricity) or banking apps, to get sensitive information from users.” One variant even used the logo of PayRup, a popular payment platform in India, to appear legitimate.
Once installed, the app:
- Requests permissions to access personal data like SMS messages.
- Prompts users to input financial details under the guise of making payments.
- Sends the stolen data to a command-and-control (C2) server while displaying a fake “payment failure” message to maintain the ruse.
The malware employs several advanced tactics to evade detection and maximize its impact:
- Hidden App Icon: By omitting the “android.intent.category.LAUNCHER” attribute in its code, the app’s icon does not appear on the user’s launcher, making it harder to identify once installed.
- Data Exfiltration via Supabase: The malware uniquely uses Supabase, an open-source backend-as-a-service, to store stolen data. McAfee investigators discovered 5,558 records, including sensitive financial data, in the malware’s Supabase database, accessed through an exposed JSON Web Token (JWT) in the app’s code.
India’s status as the largest user base for WhatsApp makes it a prime target for phishing. The trojan uses WhatsApp messages to lure victims into installing fake apps designed to mimic services for major financial and utility providers, such as:
- Axis Bank (ax_17.customer)
- Punjab National Bank (pnb_5.customer)
- Gas and Electricity Bill Payments (gs_5.customer, elect_5.customer)
McAfee found that each scam theme spawns multiple variants, increasing the malware’s reach and complicating detection efforts.
Unlike previous malware campaigns, this trojan includes a mobile app to manage its C2 infrastructure, allowing operators to send commands directly from their devices. This feature enables attackers to forward intercepted SMS messages and manage stolen data.
Donate