How a Phishing Campaign Targeting Indian Banking Users is Distributing an SMS Stealer

Scammers are always coming up with new, more sophisticated social engineering techniques to collect user credentials for financial benefit. However, when it comes to banking websites, capturing login credentials via a phishing campaign often isn’t enough for cybercriminals.

Due to the implementation of two-factor authentication by most banking sites, which includes receiving a one-time password on a registered mobile number, transactions have become more secure. However, in parallel, attackers have also found ways to bypass this two-factor authentication implementation by stealing the user’s phone messages.

Zscaler’s ThreatLabz researchers recently discovered a sophisticated phishing campaign targeting customers of top Indian banks like State Bank of India, Punjab National Bank, Union Bank, HDFC, and Canara. The well-designed phishing pages are difficult to distinguish from legitimate sites and aim to collect all the customer’s banking credentials including account holder name, registered mobile number, account number/card number, ATM pin, IFSC code, and expiry date. The end goal of capturing this information is to install a malicious SMS stealer that monitors the messages on the infected mobile/tablet, and communicates with a C2 server whenever the customer receives an SMS.

Analysis of a phishing campaign:

The homepage depicts a customer support form for submitting queries. The user is asked to enter their name, phone number, and reason for the failed transaction as shown in the figure below.

 

 

 

Fig 1. Phishing Home Page

 

In the next step, the user is asked to enter an account number, which can be used to log in to an online banking account.

 

 

 

Fig 2. Refund Mode Confirmation

 

The next step prompts the user to enter an account number (probably to confirm the correct account number) and IFSC code field and to check the bank account branch.

 

  

 

Fig 3.  Prompt for Account No. & IFSC code

After that, it is required to enter the CIF No. and the card expiry date. The customer identification file, or CIF number in general, is an electronic, 11 digit number that contains all the personal information of the customers.

 

Fig 4. Prompt for CIF number and Expiry Date

 

After that, the phishing page asks users to enter their ATM PIN as shown in the screenshot below.

 

   

 

Fig 5. Prompt for ATM Pin

In the last step, an app gets downloaded on the user’s device and a message is displayed for the user to wait until the download starts.

 

  

 

Fig 6. Malicious APK download 

Here are a few more campaigns with the same phishing techniques targeting other Indian bank users.

 

    

 

Fig 7. A phishing campaign targeting Punjab National Bank users.

 

   

 

Fig 8. A phishing campaign targeting BHIM UPI users

 

Analysis of Android SMS Stealer:

    The downloaded app is a basic SMS stealer which portrays itself as a banking support app using the name SBI Quick Support and has the official logo of the targeted bank. 

  

 

Fig 9. Malware portraying itself as SBI Quick Support App

 

Once installed, the app asks for permission to send/view messages from the phone as shown in the figure below.

 

  

 

Fig 10. Screenshot and code snippet for SMS permission

The malware also achieves persistence in the infected device by setting RECEIVE_BOOT_COMPLETED permission so that it can start itself after the device reboots.

 

 

 

Fig 11. Code snippet for Autostart configuration

 

If any of the permissions get denied, the malware displays an alert dialog to manipulate the user into granting permission.

 

   

 

 Fig 12. Code snippet for displaying alert dialog

 

Lastly after all the permissions are granted, the malware displays a fake form for submitting a complaint number. Meanwhile, in the background, it monitors all the incoming messages.

 

 

Fig 13. Screenshot and code snippet for displaying fake form

 

As soon as any message is received on the victim’s phone, the malware performs exfiltration of the received message with some other device information to the C2 server stored statically in the code via a POST request.

 

 

 

Fig 14. C2 URL stored in a variable

 

 

Fig 15. Cloud Sandbox report for SMS Stealer

 

Conclusion: 

 

Android powers hundreds of millions of mobile devices around the world. It's the largest installed base of any mobile platform and growing fast, and attackers are taking advantage of this by targeting Android users.

Due to Android flexibility and ease of use, there has been an increase in the use of mobile banking applications, and users are accidentally installing malicious apps such as the stealer mentioned above. Some best practices to protect Android users are:

• Only install apps from official stores, such as Google Play.
• Never click on unknown links received through ads, SMS messages, emails, or from any other messaging applications.
• Always keep the "Unknown Sources" option disabled on your Android device. This option will prevent applications from installing from unknown sources.
   

Package Names:

 

 

IOCs:

 

Domains:

complaintregisterqueries[.]com

onlineregisterquery[.]com

customersupportspoint[.]com

complaintsqueryregister[.]com

complaintregisters[.]com

furnitureshops[.]org

 

MD5 Hashes:

 

50ba955ff89e6d4ea873ea35459cd696

a23bc4ac3df7e2bf60e584fdb31d6071

ed7d6c10b38b3546361ef12f6a0fd218

d56d89a899617a8deb9a176a1eb84bdb

4a2cea20ee062f0cb4c8c509371f05e8

7170c67c15c9fc21b34a43168818c00a

3baccf75f4ad66a7224f1d36387e8df1

3ac0ea94f849a51aa50d0432767a753f

8ba928045fe485558bb9fe96cdd2e7ec

99f8375f0c2b99611472da12968660ba

ce9fada00b581babd4b439665797a280

B741ea005d5b720b4f69d1589e1059db

 

MITRE ATT&CK Techniques: