Scams happen wherever scammers can contact their victims. F-Secure has detected an on-going scam targeting individuals in India. The main spreading mechanism is via WhatsApp direct messages that are directly encouraging targeted WhatsApp users to download malicious Android installation files. The messages claim to originate from a well-known bank, for example Axis bank, ICICI bank, or SBI bank.
The scam starts with the victim receiving a message on WhatsApp that attempts to invoke a sense of urgency. The message typically intends to scare the victim by suggesting their bank account is blocked or about to be closed – unless the user updates some purported mandatory details by installing the accompanying APK file.
The attacker hopes that by using these manipulation tricks, the victim will install the malware. Once the victim installs the APK attachment, the malware then takes over.
So, what happens once the victim clicks on the APK attachment? We at F-Secure obtained a WhatsApp message from one of our sources (shown in Figure 2). We analyzed the APK attached to this message, found out the following:
- Upon execution, the app requests “send and view SMS” permission, as shown in Figure 3. This is a peculiar request that will have a great significance on the malware’s operations. We will explain later the reason behind this permission request.
- Once this permission is granted, the app proceeds through a series of activities (screens) that each ask for different personal information from the victim (Figure 4). The personal information includes mobile number, personal account number (PAN – a number issued by Indian tax department), date of birth, debit card details, and so on.
- Once the victim submits all this information, a fake “success” message (Figure 5) is shown to the victim promising them that the required mandatory data has been submitted. But of course, in reality, no updates are sent to the bank.
In other similar malware samples that we analyzed, the final screen apart from showing a “success” message, also displayed a text advising the user against uninstalling the app because the “bank details update” app is only available outside of Play Store (Figure 6).
What really happens in the background?
As we saw in the walkthrough, the dummy bank application pretends to get details from the victim and claims to update their account in the bank. Moreover, what happens in reality is something totally different. The details submitted by the victim are exfiltrated either to a cloud database, such as Firebase database, or to a C2 server hosted on a domain controlled by the attacker.
Multifactor authentication bypass
The primary goal of the malware is to steal the victim’s bank credentials, and then potentially perform an account takeover. However, to achieve this, the attacker first needs to login to the victim’s bank account.
A bank app typically sends a one-time password (OTP) to the user’s mobile, if multi-factor authentication has been set up. Thus, merely stealing the victim’s credentials is not enough for the attacker. Access is also required to the OTP that the bank sends to the victim’s mobile via a text message, after the attacker logs into the victim’s account using the stolen credentials. And this is where the previously acquired “send and receive SMS permissions” comes into play (Figure 3).
Once the real OTP text message is received by the victim’s mobile, the device issues an SMS_RECEIVED_ACTION broadcast which is handled by the malware as well. The malware then forwards this message to a hardcoded phone number, thereby gaining access to the OTP, and thus effectively bypassing MFA.
Even though the ongoing scam targets banks in India, it is easy to see that this can be easily generalized to include other scams. Also, as WhatsApp has been adopted worldwide, the reach of such scams can be equally large. We advise strong caution when clicking on any unknown links/attachments, especially those received via WhatsApp.