Attack Vector

The victim receives an SMS containing a link to a phishing website (similar to the website of Income Tax Department, Govt. of India) where he is asked to enter personal information and download and install the malicious APK file in order to complete verification. This malicious android app masquerades as the Income Tax Department app. After the installation, the app asks the user to grant necessary permissions like SMS, call logs, contacts etc. If the user does not enter any information on the website, the same screen with the form is displayed in the android application and the user is asked to fill in to proceed. The data include full name, PAN, Aadhaar number, address, date of birth, mobile number, email address and financial details like account number, IFS code, CIF number, debit card number, expiry date, CVV and PIN.

After these details are entered by the user, the application states that there is a refund amount that could be transferred to the user's bank account. When the user enters the amount and clicks "Transfer", the application shows an error and demonstrates a fake update screen. While the screen for installing update is shown, Trojan in the backend sends the user's details including SMS and call logs to the attacker's machine. These details are then used by the attacker to generate the bank specific mobile banking screen and render it on user's device. The user is then requested to enter the mobile banking credentials which are captured by the attacker.

These attack campaigns can effectively jeopardize the privacy and security of sensitive customer data and result in large scale attacks and financial frauds.

• 103824893e45fa2177e4a655c0c77d3b
• 28ef632aeee467678b9ac2d73519b00b
• 78745bddd887cb4895f06ab2369a8cce
• 8cc1e2baeb758b7424b6e1c81333a239
• e60e4f966ee709de1c68bfb1b96a8cf7
• 00313e685c293615cf2e1f39fde7eddd
• 04c3bf5dbb5a27d7364aec776c1d8b3b

• jsig.quicksytes[.]com
• c4.mypsx[.]net
• fcm.pointto[.]us
• rfb.serveexchange[.]com

• http://192.3.122[.]195/Refund/iMobile/instantTransfer.apk
• http://192.210.218[.]49/fcm/mc/tapp.php?dir=9sp

• Reduce the risk of downloading potentially harmful apps by limiting your download sources to official app stores, such as your device's manufacturer or operating system app store.
• Prior to downloading / installing apps on android devices (even from Google Play Store):
  • Always review the app details, number of downloads, user reviews, comments and "ADDITIONAL INFORMATION" section.
  • Verify app permissions and grant only those permissions which have relevant context for the app's purpose.
  • Do not check "Untrusted Sources" checkbox to install side loaded apps.
• Install Android updates and patches as and when available from Android device vendors.
• Do not browse un-trusted websites or follow un-trusted links and exercise caution while clicking on the link provided in any unsolicited emails and SMSs.
• Look for suspicious numbers that don't look like real mobile phone numbers. Scammers often mask their identity by using email-to-text services to avoid revealing their actual phone number. Genuine SMS messages received from banks usually contain sender id (consisting of bank's short name) instead of a phone number in sender information field.
• Do extensive research before clicking on link provided in the message. There are many websites that allow anyone to run search based on a phone number and see any relatable information about whether or not a number is legit.
• Only click on URLs that clearly indicate the website domain. When in doubt, users can search for the organisation's website directly using search engines to ensure that the websites they visited are legitimate.
• Install and maintain updated anti-virus and antispyware software.
• Consider using Safe Browsing tools, filtering tools (antivirus and content-based filtering) in your antivirus, firewall, and filtering services.
• Exercise caution towards shortened URLs, such as those involving bit.ly and tinyurl. Users are advised to hover their cursors over the shortened URLs (if possible) to see the full website domain which they are visiting or use a URL checker that will allow the user to enter a short URL and view the full URL. Users can also use the shortening service preview feature to see a preview of the full URL.
• Look out for valid encryption certificates by checking for the green lock in the browser's address bar, before providing any sensitive information such as personal particulars or account login details.
• Education and awareness program for cyber security awareness is suggested.
• Customer should report any unusual activity in their account immediately to the respective bank with the relevant details for taking further appropriate actions.