Banking Malware Uses Live Numbers to Hijack OTPs, Targeting 50,000 Victims

Mobile devices have become a prime target for financial fraud, as the availability of digital payments and interception of OTPs (one-time passwords) for authentication make them vulnerable. Threat actors’ latest targets are Indian bank users, forced to reveal sensitive financial/personal data in a sophisticated mobile malware campaign, uncovered by the Zimperium zLabs research team.

According to the company, banking trojans are targeting Indian banks and government institutions, and live phone numbers are used to intercept and redirect SMS messages, putting sensitive data at risk. This campaign is believed to be the work of a single threat actor and targets mobile devices running the Android OS. The researchers have dubbed the actor as “FatBoyPanel.”

This “coordinated effort” utilizes over 1,000 malicious Android applications designed to steal financial and personal data, researchers noted in the blog post shared with Hackread.com ahead of publishing on Wednesday.

These apps, disguised as legitimate banking and government tools, are distributed primarily through WhatsApp. Victims are tricked into revealing Aadhaar and PAN card details, ATM PINs, and mobile banking credentials.

The most frequently impersonated banks are:

• ICICI: 15.2%
• SBI: 10.5%
• RBL: 11.9%
• PNB: 12.9%

Unlike traditional malware campaigns, this one employs a more innovative approach towards OTP theft. As observed by Zimperium researchers, instead of relying solely on command-and-control servers, the malware intercepts and redirects SMS messages in real-time using live phone numbers. This method, however, leaves a traceable digital trail and may aid law enforcement in identifying the perpetrators.

ZLas researchers have identified around 900 malware samples and approximately 1,000 phone numbers involved in this operation. Around 63% of these numbers were registered in West Bengal, Bihar, and Jharkhand.

• Bihar: 22.6% of victims
• Jharkhand: 10.0% of victims
• West Bengal: 30.2% of victims

The scope of this campaign is substantial. Analysis of the malicious apps reveals shared code, user interface elements, and app logos, indicating a centralized operation. Furthermore, researchers discovered over 222 unprotected Firebase storage buckets containing 2.5 gigabytes of stolen data. This exposed information, including bank details, card information, government IDs, and SMS messages, affects an estimated 50,000 victims.

The phishing UI used within the app to steal sensitive information, along with the admin dashboard view of the C&C servers managed by the threat actors (Via Zimperium zLabs)

The malware operates in three distinct variants: SMS Forwarding, Firebase-Exfiltration, and a Hybrid approach. All variants intercept and exfiltrate SMS messages, including OTPs, enabling unauthorized transactions. Evasion techniques include hiding its icon, resisting uninstallation, and using code obfuscation and packing.

The top sources of distribution of SMS messages based on their sender are:

• Jio Payments: 47.4%
• Airtel Payments Bank: 18.5%

Hardcoded phone numbers within the malware and the Firebase endpoints act as exfiltration points for stolen data. The administrative dashboard for this platform even contained a “WhatsApp Admin” button, suggesting a multi-user environment and facilitating direct communication among the threat actors.

To protect yourself from mobile malware, download apps from official app stores and avoid downloading APK files from websites, messaging apps or untrusted sources. Verify app details before installing and avoid apps that request excessive permissions for a secure mobile experience.