One Click, Bankrupt: Android Trojan Steals Through WhatsApp

In an era where mobile banking has become the norm, a new threat looms large, especially in India’s banking sector – Android phishing. Neil Tyagi and Fernando Ruiz from McAfee Labs have uncovered a perilous Android banking trojan, Android/Banker.AFX, which deceptively masquerades as a mandatory banking verification tool. This trojan cunningly spreads through WhatsApp messages, luring users to download a malicious app. Once installed, it becomes a tool for financial espionage, capable of intercepting SMS messages to steal one-time passwords and verification codes, leading to the draining of bank accounts.

Image: McAfee Labs

The modus operandi of this trojan is alarmingly simple yet effective. It begins with a WhatsApp message that creates a sense of urgency, urging users to download an Android Package (APK) to complete a so-called “Know Your Customer” (KYC) process, failing which their accounts would be blocked. This message expertly mimics the communication style of legitimate banking institutions, exploiting human emotions like curiosity and fear.

Upon installation, the trojan disguises itself using the icon of a well-known financial institution, SBI and then requests SMS-related permissions. Its landing page, a spitting image of SBI’s net banking page, is a locally loaded phishing site designed to harvest a treasure trove of personal and financial information from unsuspecting victims. This includes their full name, date of birth, account details, and even credit card information.

But the sophistication doesn’t end there. The trojan also employs Firebase to communicate with the attackers and transmit the stolen information, including credit card details. Its ability to intercept SMS messages is particularly alarming, as it can bypass OTP-based two-factor authentication, giving attackers unfettered access to victims’ accounts.

McAfee Labs’ static analysis of the malware reveals that it requests common permissions but notably the dangerous ‘RECEIVE_SMS’, a red flag when demanded by apps from third-party sources. The malware’s main package, disguised under an innocuous name, is designed to deceive users into granting SMS read permissions, under the guise of bank verification. Once this permission is granted, the trojan becomes an effective tool for cybercriminals to siphon off sensitive information.

McAfee Mobile Security has identified this threat as Android/Banker.AXF!ML and has been proactive in protecting users, with over 360 device infections prevented in just the last 30 days. This highlights the significance of the threat within India, though a few instances have been detected elsewhere, possibly linked to Indian users abroad.

In conclusion, while banking trojans like Android/Banker.AXF are not new or technologically sophisticated, they remain a persistent and lucrative threat. Cybercriminals continue to refine their social engineering tactics to ensnare victims. The first line of defense is user awareness. It’s crucial to avoid installing apps from third-party sources, especially those received via messaging apps. Users should also be wary of messages from untrusted sources and stick to official app stores for downloading banking apps. The use of reliable antivirus solutions like McAfee Mobile Security is strongly recommended, as they offer a robust defense against such threats.