CyberSecurityBoard
Sponsor Register Login

Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials

With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. During the initial execution window, a lightweight dropper decrypts and writes its true payload to external storage before prompting Android’s installer via a forged update dialog. REQUEST_INSTALL_PACKAGES bypasses Play Protect, READ_SMS captures OTPs, and QUERY_ALL_PACKAGES gives the trojan a panoramic view of installed apps, laying groundwork for overlay attacks. This installer shows the deceptive UI that harvests phone numbers, 4-digit MPINs and 3-digit CVVs which are instantly uploaded to a private Firebase Realtime Database. On boot, AutostartHelper reenables services, while a SubscriptionManager call maps active SIM slots to numbers, ensuring every intercepted SMS is tagged with the correct sender before JSON exfiltration through FCM. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Attackers are weaponizing India’s appetite for mobile banking by circulating counterfeit Android apps that mimic the interfaces and icons of public-sector and private banks. Cyfirma analysts noted that more than 7,000 devices attempted to contact the same Firebase Cloud Messaging (FCM) endpoint within 48 hours of discovery, underscoring the campaign’s reach. Surfacing in telemetry logs on 3 April 2025, the impostors travel through smishing texts, QR codes and search-engine poisoning, tricking users into sideloading the packages. If INSTALL_NOW executes without user oversight, PackageInstaller proceeds and the new payload masks itself by declaring only an INFO category activity—no launcher icon appears. Once credentials are secured, the malware quietly diverts voice verification by issuing the USSD string *21attackerNumber#, enabling unconditional call forwarding. Persistence is obtained through a BOOT_COMPLETED receiver and the REQUEST_IGNORE_BATTERY_OPTIMIZATIONS flag, allowing the process to survive both reboots and aggressive power-management routines. Security teams warn that such tactics can facilitate full account takeover in minutes.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 25 Jul 2025 09:05:42 +0000


Cyber News related to Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials

Ten new Android banking trojans targeted 985 bank apps in 2023 - This year has seen the emergence of ten new Android banking malware families, which collectively target 985 bank and fintech/trading apps from financial institutes across 61 countries. Banking trojans are malware that targets people's online bank ...
1 year ago Bleepingcomputer.com
29 malware families target 1,800 banking apps worldwide - Mobile banking is outpacing online banking across all age groups due to its convenience and our desire to have those apps at our fingertips, according to Zimperium. This surge is accompanied by a dramatic growth in financial fraud. The research ...
1 year ago Helpnetsecurity.com
PixPirate: New Android Banking Trojan Targeting Brazilian Financial Institutions - A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of ...
2 years ago Thehackernews.com
Cybercriminals expand targeting of Iranian bank customers with known mobile malware - Researchers have uncovered more than 200 fake mobile apps that mimic major Iranian banks to steal information from their customers. The campaign was first discovered in July of this year, but since then, the cybercriminals have expanded their ...
1 year ago Therecord.media
Malicious Android 'Vapor' apps on Google Play installed 60 million times - Although all of these apps have since been removed from Google Play, there's a significant risk that Vapor will return through new apps as the threat actors have already demonstrated the ability to bypass Google's review process. Bitdefender ...
4 months ago Bleepingcomputer.com
Over 90 malicious Android apps with 5.5M installs found on Google Play - Over 90 malicious Android apps were found installed over 5.5 million times through Google Play to deliver malware and adware, with the Anatsa banking trojan seeing a recent surge in activity. Anatsa is a banking trojan that targets over 650 ...
1 year ago Bleepingcomputer.com
FjordPhantom Android malware uses virtualization to evade detection - A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection. The malware was discovered by Promon, whose analysts report that it currently spreads via emails, SMS, and ...
1 year ago Bleepingcomputer.com
How an Indian startup hacked the world - Reuters previously named Appin in a story about Indian cyber mercenaries published last year. This report paints the clearest picture yet of how Appin operated, detailing the world-spanning extent of its business, and international law enforcement's ...
1 year ago Reuters.com
EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group - For the last several months, there has emerged a campaign of bullying and censorship seeking to wipe out stories about the mercenary hacking campaigns of a less well-known company, Appin Technology, in general, and the company's cofounder, Rajat ...
1 year ago Eff.org
New Wave of 'Anatsa' Banking Trojans Targets Android Users in Europe - The campaign has been ongoing for at least four months and is the latest salvo from the operators of the malware, which first surfaced in 2020 and has previously notched victims in the US, Italy, United Kingdom, France, Germany, and other countries. ...
1 year ago Darkreading.com
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
1 year ago Cysecurity.news
RBI Has Mandated That All Bank Websites in India migrate to the .bank.in  - This landmark cybersecurity initiative aims to create a more secure digital banking ecosystem and combat the rising threat of phishing attacks targeting Indian banking customers. Cybersecurity experts estimate that phishing attacks targeting Indian ...
3 months ago Cybersecuritynews.com
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
2 years ago Hackread.com Everest
AutoSpill attack steals credentials from Android password managers - Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International ...
1 year ago Bleepingcomputer.com
Malicious Android Apps Mimic as Popular Indian Banking Apps Steal Login Credentials - With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. ...
21 hours ago Cybersecuritynews.com
Sophisticated Web Injection Campaign Targets 50,000 Individuals, Pilfering Banking Data - Web injections, a favoured technique employed by various banking Trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cybercriminals to manipulate data exchanges between users and web browsers, ...
1 year ago Cysecurity.news
New Android Malware 'Salvador Stealer' That Phish & Steals Your Banking Details & OTPs - Cybersecurity researchers have discovered a sophisticated new Android malware called “Salvador Stealer” that targets banking credentials and one-time passwords (OTPs) through an elaborate phishing scheme. Once active, Salvador Stealer ...
3 months ago Cybersecuritynews.com
Lampion Banking Malware Employs ClickFix Lures To Steal Banking Information - Once executed, the malware begins its covert operation to harvest banking credentials, credit card information, and other sensitive financial data from compromised systems. A sophisticated banking trojan known as Lampion has resurfaced with an ...
2 months ago Cybersecuritynews.com
Google Online Security Blog: I/O 2024: What's new in Android security and privacy - As their tactics evolve in sophistication and scale, we continually adapt and enhance our advanced security features and AI-powered protections to help keep Android users safe. Today, we're announcing more new fraud and scam protection features ...
1 year ago Security.googleblog.com Cloak
New Mimic Ransomware Abuses Windows Search Tool to Attack Victims - A new ransomware threat has been discovered that abuses the Windows Search Tool to locate and encrypt sensitive data. Dubbed Mimic, the ransomware was identified by malware researchers at Force Point Security Defense. Mimic encrypts a victim’s ...
2 years ago Bleepingcomputer.com
What Is Android System WebView and Should You Uninstall It? | Definition from TechTarget - Android developers use WebView when they want to display webpages or Hypertext Markup Language content in a Google app or other application. Android System WebView is a system component for the Android operating system (OS) that enables Android apps ...
9 months ago Techtarget.com
Deluge of Nearly 300 Fake Apps Floods Iranian Banking Sector - A mammoth campaign targeting Iran's banking sector has grown in magnitude in recent months, with nearly 300 malicious Android apps targeting users for their account credentials, credit cards, and crypto wallets. Four months ago, researchers from ...
1 year ago Darkreading.com
Android Phishing Forms for Sale on Cybercrime Market: Over 1,800 Web Injects Available - A threat actor named InTheBox is offering 1,894 web injects for sale on Russian cybercrime forums. These web injects are designed to steal credentials and sensitive data from banking, cryptocurrency exchange, and e-commerce apps. The overlays are ...
2 years ago Bleepingcomputer.com
Framework for Automated Detection of Malicious Software Aimed at Android Users in Southeast Asia - Since July 2022, a malicious campaign has been targeting Android users in Southeast Asia with the goal of stealing their assets from finance and banking applications. This banking trojan, named TgToxic, is embedded in multiple fake apps and has been ...
2 years ago Trendmicro.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)