Threat actors are constantly using new tricks and tactics to collect various confidential credentials from users’ mobile devices via phishing campaigns. This blog is about a recent attack wherein a fake app was used to target Indian Banking users.

Our researchers at K7 Labs recently came across a phishing campaign targeting State Bank of India(SBI) users. This phishing page disguises itself as an SBI Bank Customer Support page to steal users’ credentials. 

Victims are then lured to visit the malicious link hxxp://complaintsregister[.com as shown in Figure 1.

Figure 1 : SBI phishing pages asking for the victims’ banking credentials

Once the victim lands on the impersonated SBI Phishing site as shown in Figure 1, the user is prompted to enter various confidential information like account holder name and registered phone. Once entered,  the user is taken to the next page where the user is prompted to enter refund mode, account number and IFSC code for that bank as shown in Figure 1. Apart from this, it also asks the victim to enter the CIF number(specific to the SBI users) , expiry date, and their ATM pin.  Once the victim enters all the required information, it proceeds to download an APK SBI_Complaint.apk from the phishing website as shown in Figure 2. 

Figure 2: Downloading Malicious APK

This app was installed in the name of SBI Quick Support as shown in Figure 3, and has the official SBI Bank icon.

Figure 3: Installed as a SBI Quick Support and its phone permissions

Technical Analysis

Once the victim launches the downloaded app SBI_Complaint.apk  the malware requests for the malicious permissions like “RECEIVE_SMS, SEND_SMS and READ_SMS” to steal SMS related information as shown in Figure 4.

Figure 4: Request to allow SMS related permissions

It then proceeds to set “android:debuggable=true” from the AndroidManifest.xml, which makes it easier for the threat actor to access the application data and can even run arbitrary code under that application permission. as shown in Figure 5.

Figure 5: Debuggable app permission from AndroidManifest.xml

The Trojan then attempts to steal SMS messages as shown in Figure 6.

Figure 6: SMS stealing Functionality

This Trojan receives and uploads the SMS messages to the C2 server https[://complaintsregister[.com/api/msgstore?task=savemsg as shown in Figure 7.

Figure 7: Upload SMS to C2 server

At K7, we protect all our customers from such threats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security and also regularly update and scan your devices with it. Keep your security product and devices updated and patched for the latest vulnerabilities.

Indicators of Compromise (IoCs)

Package Name:

Hash: 8f05ecbb5f9fe721dfcd380669ab7ebb1dffc433ee0c4d5dce9936afa69564b0

K7 Detection Name:  Spyware ( 0057cf561 )

C2: hxxps://complaintsregister[.com/api/msgstore?task=savemsg

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Targeted SMiShing Attacks on Indian Banking Users”