Microsoft Security’s investigation of a new version of a previously reported info-stealing Android malware has demonstrated the continuous evolution of mobile threats and the need to protect mobile devices.

An SMS-based phishing campaign targets customers of Indian banks with information-stealing malware that masquerades as a rewards application one of its targets was ICICI bank in India.

The malware is equipped with the ability to steal SMSes, potentially enabling the attacker to swipe 2FA codes sent as text messages and gain unauthorized access to victim accounts.

Upon user interaction, it displays a splash screen with the bank logo and proceeds to ask the user to enable specific permissions for the app.

The app’s C2 server is linked to 75 different malicious APKs, all of which are based on open-source intelligence. The research team identified many other campaigns targeting Indian bank customers, including:

Observed activity

• Icici_points.apk
• Icici_rewards.apk
• SBI_rewards.apk
• Axisbank_rewards.apk

Their research revolved around icici_rewards.apk, represented as ICICI Rewards. The malicious link inside the SMS message installs the APK on the recipient’s mobile device. After installation, a splash screen displaying the bank logo asks the user to enable specific permissions for the app.

What happens in the background as per Microsoft Security’s investigation

Analyzing the XML file AndroidManifest further identifies the entry points of the malware along with the permissions requested. It also defines services that can run in the background without user interaction. The app uses the following permissions:

• READ_PHONE_STATE
• ACCESS_NETWORK_STATE
• READ_SMS
• RECEIVE_SMS
• READ_CALL_LOG
• FOREGROUND_SERVICE
• MODIFY_AUDIO_SETTINGS
• READ_CONTACTS
• RECEIVE_BOOT_COMPLETED
• WAKE_LOCK

The malware uses MainActivity, AutoStartService, and RestartBroadCastReceiverAndroid functions to carry out most of its routines. These three functions interact to ensure all the malware’s routines are up and running and allow the app to remain persistent on the mobile device.

MainActivity

It’s called the launcher activity is defined under com.example.test_app.MainActivity.  It is launched first after installation to display the fake app’s ICICI splash screen. This launcher activity then calls OnCreate() method to check the device’s internet connectivity and record the timestamp of the malware’s installation, and Permission_Activity to launch permission requests. Once the permissions are granted, Permission_Activity further calls AutoStartService and login_kotak.