In the recent past, we came across several Android malware incidents wherein Indian banking users were being deceived promising rewards for their cards. Recently, we came across a tweet that pointed to a Phishing URL which, on click, downloads an Android application, targeting users of another Indian bank. 

Phishing URL is shown in Figure 1. 

Figure 1: HDFC Credit Card Phishing URL

Clicking on the button, “Download application”, it downloads an APK, “HDFC_Credit_Card.apk” (packagename :  

When installed HDFC_Credit_Card.apk takes the label “HDFC Credit Card” and the bank’s logo as shown in Figure 2. 

Figure 2: “HDFC Credit Card” label of the application

This app collects user data like credit card details, email address, phone number, etc., along with the minimal required permissions (no other permissions requested/registered dynamically) to: 




Also, this app has registered a receiver in AndroidManifest.xml, “” with the permission “android.permission.BROADCAST_SMS” and attribute “exported:true” that raises the suspicion that another linked malicious app could use this HDFC_Credit_Card.apk for data exfiltration as shown in Figure 3.

Figure 3: Receiver registered with the permission

Let’s now begin the app analysis. 

After installation when the user launches the app, it collects the information and saves in the shared preferences as shown in Figure 4. 

Figure 4: User information collected

Once the user feeds in the data, it displays a timer screen that encourages the user to “Redeem Point in Cash Or Voucher after time out” as shown in Figure 5. 

Figure 5: Timer Screen to redeem points 

As aforementioned, this app’s registered receiver class, “” is triggered whenever there is a broadcast for a new SMS received.  

During the attempt of collecting the user information, the app confirms that it has the permission to “android.permission.RECEIVE_SMS”. Once confirmed it invokes the service “SmsProcessService” which in turn registers the “” class again as shown in Figure 6 and Figure 7.

Figure 6: Initialising SmsProcessService from MainActivity class
Figure 7: SmsProcessService registering SmsRec class

Once registering the receiver “SmsRec” class is done (apart from the initial registration in AndroidManifest.xml), in the event of any new SMS received, the sms content including the phone number and message body is saved in the shared preferences as shown in Figure 8.

Figure 8: Collecting data of a new SMS received by the user and the URL visited

As highlighted in the Figure 8, once the SMS content is successfully saved as per the defined data model, the app redirects the user to the link, “hxxp://” which is the phishing page that we visited in the beginning. 

This goes to show that Phishing links are still relevant as an infector vector and  asusers we need to be vigilant before giving away any information online and cross-verify with the financial institution, if any bank related details are to be shared. 


Package Name: 

Hash: 4a4833977a2fb4196a7a14fae4bfb1fa 

K7 Detection Name: Trojan ( 0001140e1 ) 

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “SMSThief Targets Indian Banking Users”