Skip to content

Trending tags

New banking scams delivered instantly via WhatsApp

Amit Tambe

27.10.23 4 min. read

The scam 

Scams happen wherever scammers can contact their victims. F-Secure has detected an on-going scam targeting individuals in India. The main spreading mechanism is via WhatsApp direct messages that are directly encouraging targeted WhatsApp users to download malicious Android installation files. The messages claim to originate from a well-known bank, for example Axis bank, ICICI bank, or SBI bank.

Figure 1. Scam message appealing for urgency
(from LinkedIn post)

Figure 2. Another scam message appealing urgency (acquired by F-Secure)














The scam starts with the victim receiving a message on WhatsApp that attempts to invoke a sense of urgency. The message typically intends to scare the victim by suggesting their bank account is blocked or about to be closed – unless the user updates some purported mandatory details by installing the accompanying APK file.  

The attacker hopes that by using these manipulation tricks, the victim will install the malware. Once the victim installs the APK attachment, the malware then takes over. 

Malware walkthrough 

So, what happens once the victim clicks on the APK attachment? We at F-Secure obtained a WhatsApp message from one of our sources (shown in Figure 2). We analyzed the APK attached to this message, found out the following: 

  • Upon execution, the app requests “send and view SMS” permission, as shown in Figure 3. This is a peculiar request that will have a great significance on the malware’s operations. We will explain later the reason behind this permission request.

Figure 3. SMS permissions requested by malware

  • Once this permission is granted, the app proceeds through a series of activities (screens) that each ask for different personal information from the victim (Figure 4). The personal information includes mobile number, personal account number (PAN – a number issued by Indian tax department), date of birth, debit card details, and so on.


Figure 4. Series of screens extracting the victim’s personal information

  • Once the victim submits all this information, a fake “success” message (Figure 5) is shown to the victim promising them that the required mandatory data has been submitted. But of course, in reality, no updates are sent to the bank.

Figure 5. Fake “success” message

Figure 6. Alternate “success” message advising against uninstallation


In other similar malware samples that we analyzed, the final screen apart from showing a “success” message, also displayed a text advising the user against uninstalling the app because the “bank details update” app is only available outside of Play Store (Figure 6). 


What really happens in the background? 

Data stealing 

As we saw in the walkthrough, the dummy bank application pretends to get details from the victim and claims to update their account in the bank. Moreover, what happens in reality is something totally different. The details submitted by the victim are exfiltrated either to a cloud database, such as Firebase database, or to a C2 server hosted on a domain controlled by the attacker. 


Figure 7. Personal user data being uploaded to cloud

Multifactor authentication bypass 

The primary goal of the malware is to steal the victim’s bank credentials, and then potentially perform an account takeover. However, to achieve this, the attacker first needs to login to the victim’s bank account.  

A bank app typically sends a one-time password (OTP) to the user’s mobile, if multi-factor authentication has been set up. Thus, merely stealing the victim’s credentials is not enough for the attacker. Access is also required to the OTP that the bank sends to the victim’s mobile via a text message, after the attacker logs into the victim’s account using the stolen credentials. And this is where the previously acquired “send and receive SMS permissions” comes into play (Figure 3). 

Once the real OTP text message is received by the victim’s mobile, the device issues an SMS_RECEIVED_ACTION broadcast which is handled by the malware as well. The malware then forwards this message to a hardcoded phone number, thereby gaining access to the OTP, and thus effectively bypassing MFA. 

Figure 8. Forward all SMSs to the attacker


Even though the ongoing scam targets banks in India, it is easy to see that this can be easily generalized to include other scams. Also, as WhatsApp has been adopted worldwide, the reach of such scams can be equally large. We advise strong caution when clicking on any unknown links/attachments, especially those received via WhatsApp. 














Amit Tambe

27.10.23 4 min. read


Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.