Article

Banking scams delivered instantly via WhatsApp

Amit Tambe
Amit Tambe
|
Feb 18, 2025
|
4 min read

Scams happen wherever scammers can contact their victims. F‑Secure has detected an on-going scam targeting individuals in India. The main spreading mechanism is via Whats­App direct messages that are directly encouraging targeted Whats­App users to down­load malicious Android installation files. The messages claim to originate from a well-known bank, for example Axis bank, ICICI bank, or SBI bank.

Figure 1. Scam message appealing for urgency (from LinkedIn post)
Figure 2. Another scam message appealing urgency (acquired by F-Secure)

The scam starts with the victim receiving a message on Whats­App that attempts to invoke a sense of urgency. The message typically intends to scare the victim by suggesting their bank account is blocked or about to be closed — unless the user updates some purported mandatory details by installing the accompanying APK file.  

The attacker hopes that by using these manipulation tricks, the victim will install the malware. Once the victim installs the APK attachment, the malware then takes over. 

Malware walkthrough 

So, what happens once the victim clicks on the APK attachment? We at F‑Secure obtained a Whats­App message from one of our sources (shown in Figure 2). We analyzed the APK attached to this message, found out the following: 

  • Upon execution, the app requests “send and view SMS” permission, as shown in Figure 3. This is a peculiar request that will have a great significance on the malware’s operations. We will explain later the reason behind this permission request.

Figure 3. SMS permissions requested by malware
  • Once this permission is granted, the app proceeds through a series of activities (screens) that each ask for different personal information from the victim (Figure 4). The personal information includes mobile number, personal account number (PAN — a number issued by Indian tax department), date of birth, debit card details, and so on.

Figure 4. Series of screens extracting the victim’s personal information
  • Once the victim submits all this information, a fake “success” message (Figure 5) is shown to the victim promising them that the required mandatory data has been submitted. But of course, in reality, no updates are sent to the bank.

Figure 5. Fake “success” message
Figure 6. Alternate “success” message advising against uninstallation

In other similar malware samples that we analyzed, the final screen apart from showing a “success” message, also displayed a text advising the user against uninstalling the app because the “bank details update” app is only available outside of Play Store (Figure 6). 

What really happens in the background? 

Data stealing 

As we saw in the walkthrough, the dummy bank application pretends to get details from the victim and claims to update their account in the bank. More­over, what happens in reality is some­thing totally different. The details submitted by the victim are exfiltrated either to a cloud data­base, such as Fire­base data­base, or to a C2 server hosted on a domain controlled by the attacker.

Figure 7. Personal user data being uploaded to cloud

Multifactor authentication bypass 

The primary goal of the malware is to steal the victim’s bank credentials, and then potentially perform an account take­over. How­ever, to achieve this, the attacker first needs to login to the victim’s bank account.  

A bank app typically sends a one-time pass­word (OTP) to the user’s mobile, if two-factor authentication has been set up. Thus, merely stealing the victim’s credentials is not enough for the attacker. Access is also required to the OTP that the bank sends to the victim’s mobile via a text message, after the attacker logs into the victim’s account using the stolen credentials. And this is where the previously acquired “send and receive SMS permissions” comes into play (Figure 3). 

Once the real OTP text message is received by the victim’s mobile, the device issues an SMS_RECEIVED_ACTION broad­cast which is handled by the malware as well. The malware then forwards this message to a hard­coded phone number, thereby gaining access to the OTP, and thus effectively bypassing MFA. 

Figure 8. Forward all SMSs to the attacker

Conclusion 

Even though the ongoing scam targets banks in India, it is easy to see that this can be easily generalized to include other scams. Also, as Whats­App has been adopted world­wide, the reach of such scams can be equally large. We advise strong caution when clicking on any unknown links/​attachments, especially those received via WhatsApp.

devices secured illustration

Protect every­thing you do online

Make staying safe online easy with one app that does it all.

total app on different devices

Protect everything you do online with F‑Secure

Make staying safe online easy for yourself with one app that does it all. Skip online scams, download files and apps safely, protect your money online — and much more.

  • Award-winning antivirus and malware protection

  • Online browsing, banking, and shopping protection

  • 24/7 online identity and data breach monitoring

  • Unlimited VPN service to safe­guard your privacy

  • Password manager with private data protection

Read more about Total