Spyware targeting customers of Top Indian Banks

Threat Actors (TAs) use or create Malware to compromise or harm users through various malicious activities. Spyware is one such example. In this instance, we observed TAs utilizing spyware to steal sensitive data from infected devices – this data could include financial and personal information.

This report will focus on two such malicious applications that TAs use to target the customers of major Indian banks. Through these malicious applications, TAs attempt to trick the users into installing their malware by disguising them as legitimate bank-related applications. They rely on having similar name and icon of the official banking apps.

Cyble Research Labs came across Twitter posts where other researchers have also posted about this type of Android malware.

During our analysis, we observed that these malicious applications have application screens similar to the legitimate banking applications which they are trying to impersonate.

Through these fake apps, the malware collects the victim’s banking credentials, credit card details, Personally Identifiable Information (PII) and credentials of the victim’s email accounts. We have analyzed one of these samples.

The figure below demonstrates the flow diagram of the application.

Figure 1 – Application Flow Diagram

Technical Analysis

The App names given to the spyware are SBI rewards and other names related to a few other major private bank’s apps.

APK Metadata Information

  • App Name:  SBI rewards
  • Package Name:
  • SHA256 Hash: e03b9badfdd85992c8c9f79e25d5975d08b550206f7beb561c5983b3ff1f36b8

Figure 2 shows the metadata information of the application.

Figure 2 – App Metadata Information

The below figure shows the application icon and name displayed on the Android device.

Figure 3 – App Icon and Name

The malware requests for Know Your Customer (KYC) documents such as address proof (govt. ID), PAN Card, and user’s selfie as shown in the below figure.

Figure 4 – App Requests KYC Documents

The malware also prompts the user to input their card details as shown below.

Figure 5 – App Requests Card Details

The malware displays a fake page to steal email account credentials across various email service providers as shown in the below figure.

Figure 6 – App Displays Fake Page to Steal the Credentials

Manifest Description

The malware requests the user for 11 different permissions. Out of these, it abuses 5 permissions. The dangerous permissions are listed below.

GET_ACCOUNTSAccess accounts details in the device
READ_SMSAccess SMSs in the device database (DB).
RECEIVE_SMSIntercept SMSs received on the victim’s device
READ_CALL_LOGAccess Call Logs
MODIFY_AUDIO_SETTINGSModify audio settings

The list of permissions the malware requests in the manifest file is given below.

Figure 7 – App Permissions list

The below figure shows the launcher activity of the malware.

Figure 8 – App Launcher Activity

Malware Behaviour

During our analysis, we observed that the application collects financial and personal information from the victim. The malware collects this information by utilizing fake screens, one such screen is shown in Figure 5.

The collected details include:

  • SMS data which also includes two-factor authentication codes/OTPs
  • Call logs
  • Device accounts synced on the device
  • Credit/Debit card information such as card number, expiry, CVV, card PIN.
  • Personal information such as name, email, DOB, mobile number
  • Hardware information such as IMEI number, device’s IP address  
  • Credentials of email accounts such as Google, Yahoo, Microsoft, etc.

Additionally, the malware also makes modifications to the infected device’s audio settings such as setting the device to silent mode etc.

Code Evidence

From our static analysis, we noticed that the malware is not using obfuscations techniques such as complex class names or encrypted strings. We also observed the spyware behavior during our analysis

The code used to collect SMSs and call logs are given in the screenshots below.

Figure 9 – Code to collect Call logs
Figure 10 – Code to collect SMSs

This financial spyware utilizes fake banking applications screens shown in Figure 5. The code to collect Credit/Debit card details is shown below.

Figure 11 – Code to Collect Credit/Debit Card Details

In addition to the banking credentials, the spyware is also capable of stealing credentials of the victim’s email accounts such as Google, Yahoo, etc (refer Figure 6) from the infected device by utilizing fake screens. The code to collect and upload these credentials is shown below.

Figure 12 – Code to Collect Email Accounts Credentials

The code snippet highlighter in Figure 13 demonstrates that the malware attempted to put the device in silent mode to avoid the user noticing incoming SMSs.

Figure 13 – Code to Put Device in Silent Mode

The spyware collects this information and uploads the data to a Command and Control (C&C) server. The TA controls the malware using commands send from this C&C.

C&C and the commands

The financial spyware utilizes multiple servers for uploading the collected data and also to receive commands from the TA.

The malware uses an open-source library, to communicate with C&C servers.

The code to send data to the C&C server is given below.

Figure 14 – Code to Upload Data

The malware encrypts the data before every upload. The data is encrypted using a combination of AES encryption and Base64 encoding as shown in the code below.

Figure 15 – Code to Encrypt Data

We have listed the commands used by the TA to control the infected device:

all_sms_receivedUpload all SMSs received
silentMake the device silent
force_callsFlag to enable/disable call log uploads
all_call_receivedUpload call logs
Force_smsFlag to enable/disable SMS uploads

Figure 16 shows the code to check for the commands.

Figure 16 – Code to Check for the Commands

Traffic Analysis

During our traffic analysis, we identified that the malware communicated to a URL: hxxps://testchat8564.herokuapp[.]com/ that is hosted on a free hosting service as shown in the below figure.

Figure 17 – Malware Communication

We identified that the malware sends the SMS data to TA’s C&C server hxxp://datasmsalluser[.]in/saver.php as shown in the below figure.

Figure 18 – Uploads SMSs Data to the TAs C&C

The malware sends the call logs data to TAs C&C server hxxp://datasmsalluser[.]in/savercall.php as shown in Figure 19.

Figure 19 – Uploads CallLogs to the TAs C&C

We identified that the malware encrypts the SMS data and sends it to the C&C server hxxps://testchat8564.herokuapp[.]com/ as shown in below figure.

Figure 20 – Uploads SMSs Data in Encrypted Format


These Android Spywares targets customers of major Indian Banks to steal sensitive information such as financial and personal data without the victim’s knowledge. This PII information and stolen credentials can be sold or exchanged in darkweb and deepweb to carry out further activities ranging from targeted attacks to financial fraud.

Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through increasingly sophisticated techniques. Such malicious applications often masquerade as legitimate applications to trick users into installing them.

Users should thus install applications only after verifying their authenticity. Apps should only be installed exclusively via the official Google Play Store and other trusted portals to avoid such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection?

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

How to identify whether you are infected?

  • Regularly check the Mobile/Wi-Fi data usage of applications installed in mobile devices.
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.

What to do when you are infected?

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
  • Perform factory reset.
  • Remove the application in case a factory reset is not possible.
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset.

What to do in case of any fraudulent transaction?

  • In case of a fraudulent transaction, immediately report it to the concerned bank

What should banks do to protect their customers?

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMSs, or emails. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476-Deliver Malicious App via Other Mean.
Initial AccessT1444-Masquerade as Legitimate Application
ExecutionT1575-Native Code
CollectionT1433-Access Call Log
CollectionT1412-Capture SMS Messages
Command and ControlT1436-Commonly Used Port
ExfiltrationT1532-Data Encrypted

Indicators of Compromise (IOCs)  

IndicatorsIndicator TypeDescription
e03b9badfdd85992c8c9f79e25d5975d08b550206f7beb561c5983b3ff1f36b8SHA256Malicious APK
f8677fbacd926fca9fb55239d9491573341c1546cd2ec59e5acc49d43bcf1586SHA256Malicious APK
hxxp://datasmsalluser[.]in/saver.phpURLUploads device’s SMS to this server
hxxp://datasmsalluser[.]in/savercall.phpURLUploads device’s CallLogs to this server
hxxps://testchat8564.herokuapp[.]com/ device’s data to this server
hxxp://testdata112[.] used for updating the app
hxxps://unsaleable-curls.000webhostapp[.]com/data4.phpURLC&C used for updating the app

Comments are closed.

Scroll to Top