New Android Malware Poses as SBI Card and Axis Bank Apps to Steal Financial Data

McAfee’s Mobile Research Team has identified a sophisticated Android malware campaign primarily aimed at Hindi-speaking users in India, masquerading as legitimate financial applications from institutions like SBI Card, Axis Bank, and IndusInd Bank.

This operation distributes malicious APKs through dynamically created phishing websites that mimic official banking portals, leveraging real assets such as images and JavaScript from genuine sites to enhance credibility.

Dual-Threat Campaign

What sets this malware apart is its dual functionality: it not only exfiltrates sensitive personal and financial data but also covertly mines Monero cryptocurrency using the open-source XMRig tool, activated remotely via Firebase Cloud Messaging (FCM).

The malware poses as a Google Play update to exploit user trust, prompting installations that lead to data theft.

As a member of the App Defense Alliance, McAfee reported these threats to Google, resulting in the blocking of the associated FCM account to curb further dissemination.

McAfee Mobile Security classifies all variants as high-risk, with telemetry indicating infections predominantly in India, though sporadic cases appear elsewhere.

Cryptomining Payload

The malware employs a multi-stage dropper architecture to evade static analysis and detection.

Upon installation, the APK presents a fake Google Play interface urging an “update,” while internally decrypting an encrypted DEX file from its assets folder using an XOR key.

This first-stage loader then decrypts and dynamically loads a second-stage payload, which manifests as a counterfeit financial app interface.

Users are prompted to enter details like names, card numbers, CVVs, and expiration dates, which are transmitted to a command-and-control (C2) server.

Post-submission, the app displays a deceptive confirmation page, simulating legitimacy with messages about email verifications within 48 hours, though all functionalities are inert.

Embedded within the second-stage code is a Firebase messaging service declared in the manifest, listening for remote commands that trigger the mining component.

This involves downloading an encrypted .so binary from one of three hardcoded URLs, which is then executed via Java’s ProcessBuilder as a standalone process with arguments mirroring XMRig’s command-line options, including mining pool specifications for Monero.

The RandomX algorithm, optimized for CPU efficiency, enables profitable mining on mobile devices, with privacy features of Monero obscuring transactions and aiding cybercriminals in laundering funds.

Logs from the decrypted binary confirm XMRig’s involvement, allowing silent background operation without user awareness.

This campaign builds on prior threats targeting India, as noted in McAfee’s previous reports, but innovates by integrating real-time phishing with dynamic payload loading and remote activation.

The dropper’s staged decryption complicates reverse engineering, while FCM-based triggers keep the malware dormant until commanded, reducing detection risks.

Phishing sites feature “Get App” buttons that deliver the APK, often promoted via SMS, WhatsApp, or social media.

Users should exclusively source apps from Google Play, scrutinize unsolicited links, and employ robust mobile security solutions to block such threats.

This blend of data theft and cryptojacking underscores evolving malware sophistication, demanding vigilant user practices and advanced defenses.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!