New Android Banking Malware Targets Indian Banks: Steals Credentials, Intercepts OTPs via Fake Apps

Researchers at CYFIRMA have issued a warning about a new wave of cyberattacks leveraging malicious Android applications disguised as legitimate banking clients. These apps are designed to steal user credentials, intercept messages, and execute unauthorized financial transactions. According to analysts, the campaign is particularly aggressive in targeting customers of Indian banks, employing sophisticated evasion techniques and obfuscation strategies. The primary malware propagates through counterfeit websites, messaging platforms, phishing campaigns, and even fraudulent system updates.

Upon installation, the application requests critical permissions and silently initiates covert activity in the background. It can read and send SMS messages, intercept one-time passwords and notifications, monitor phone calls, and collect SIM-related information. Firebase is utilized both as a command-and-control channel and as a repository for exfiltrated data. Furthermore, the malware leverages auto-start mechanisms on reboot to maintain persistent access.

A defining feature of this attack is its modular architecture. The malware comprises two distinct components: a dropper and the primary payload. Initially, an APK dropper is downloaded, which covertly installs itself while mimicking the behavior of a benign app. It then deceives the user into installing a secondary APK, laden with data-stealing capabilities. The main component conceals itself from the application drawer, lacks an icon, and operates entirely in the background.

Social engineering plays a pivotal role in the attack. Victims are presented with counterfeit login forms that closely replicate the interface of legitimate banking apps. These forms even validate parameters such as the length of the phone number and PIN code to enhance authenticity. Collected data—including CVVs, card numbers, MPINs, and OTPs—is transmitted to Firebase, where attackers can retrieve it and exercise control over the compromised devices.

Further analysis reveals that the malware can execute remote commands via push notifications, enable call forwarding, initiate USSD requests, and exploit system permissions to extract metadata. By leveraging Firebase—a free service with default anonymous access—the malware’s command infrastructure remains virtually undetectable.

The distribution of these malicious apps spans a variety of channels, including fake banking websites, SEO manipulation, infected third-party app stores, malicious QR codes, and NFC tags. Some variants masquerade as system utilities such as Play Protect updates or battery managers. In certain cases, the malware may be pre-installed on low-cost devices or spread via USB during physical access.

CYFIRMA experts strongly urge users to disable app installations from unknown sources and to avoid clicking suspicious links received via SMS or messaging platforms. They also recommend deploying mobile EDR (Endpoint Detection and Response) solutions capable of monitoring app behavior in real time. For banks and telecom operators, integration with threat-intelligence-driven traffic filters and active surveillance of cloud service misuse is advised.

Experts contend that this campaign underscores the attackers’ high level of sophistication and highlights the inherent vulnerabilities of the Android ecosystem in the absence of centralized oversight. A single moment of carelessness by the user could result in the complete compromise of their financial data.