Microsoft has detected a notable increase in mobile banking Trojan campaigns directed at users in India, primarily through instant messaging (IM) apps on platforms such as WhatsApp and Telegram.
The perpetrators, posing as legitimate entities like banks and government services, lure users into installing malicious apps on their mobile devices.
Once these deceptive apps are installed, they compromise sensitive information such as personal details, banking information, payment card details and account credentials.
In an advisory released on Monday, Microsoft highlighted a shift in tactics. While previous campaigns involved sending malicious links, the current strategy involves directly sharing malicious APK files through IM and social media platforms. The new research delves explicitly into types of two fraudulent applications that disguise themselves as official banking apps in India.
The first instance involves a WhatsApp phishing campaign where users are prompted to update their Know Your Customer (KYC) information using a malicious APK file. The app, presenting itself as a legitimate bank’s KYC application, deceives users into revealing sensitive information, including account credentials and debit card details. The malware then collects and transmits this data to a command-and-control (C2) server and the attacker’s phone number.
“Upon installation, the fake app displays a bank icon posing as a legitimate bank app. Note that the app we analyzed is not an official bank app from the Google Play Store, but a fake app that we’ve observed being distributed through social media platforms,” Microsoft clarified.
In the second case, a counterfeit banking app focuses on harvesting payment card details, posing a considerable financial fraud risk for users. Some versions of the app include additional features such as capturing financial and personal information, as well as intercepting and pilfering one-time passwords (OTPs).
“When the user interacts with the app, it displays a launch screen featuring the app icon and prompting the user to grant SMS-based permissions. Once the requested permissions are enabled, the app displays a form for the user to enter their personal details, including their name, email address, mobile number and date of birth,” reads the advisory.
Read more on mobile banking Trojans: Anatsa Banking Trojan Targets Banks in US, UK and DACH Region
To counter these campaigns, Microsoft advocated user vigilance – suggesting app installation exclusively from official stores, awareness of social engineering tactics and the adoption of mobile security solutions.