Android Malware Campaigns Targeting Indian Users and Banking Apps
Researchers have identified new Android malware campaigns targeting users in India, with a focus on financial fraud and surveillance. The NexusRoute remote access trojan (RAT) was discovered impersonating the Indian e-Challan app and leveraging GitHub for distribution, enabling attackers to conduct UPI fraud and monitor victims' activities. In a separate but related campaign, the FvncBot Android banking trojan masquerades as a legitimate banking-security application, exploiting accessibility and VNC features to capture keystrokes, stream device screens, and inject fraudulent transactions directly from compromised devices.
Both malware strains are notable for their ability to operate within genuine banking apps, allowing them to bypass traditional security checks and evade detection. These campaigns highlight the increasing sophistication of mobile threats in India, particularly those targeting financial transactions and personal data. Security experts recommend minimizing app permissions, sourcing apps only from trusted platforms, and implementing real-time behavioral monitoring to mitigate the risks posed by such advanced mobile malware.
Sources
Related Stories
Emergence of Advanced Android Malware Targeting App Stores and Banking Credentials
A new wave of Android malware is leveraging sophisticated techniques to evade detection and compromise user devices. The Cellik malware-as-a-service (MaaS) platform enables cybercriminals to create trojanized versions of legitimate Google Play Store apps, embedding malicious payloads while preserving the original app's interface and functionality. This approach allows attackers to bypass security controls such as Play Protect and remain undetected for extended periods. Cellik offers features including real-time screen streaming, notification interception, filesystem browsing, data exfiltration, and a hidden browser mode for session hijacking, all managed through an encrypted command-and-control channel. In parallel, other Android malware campaigns such as NexusRoute and FvncBot are targeting users by impersonating trusted government and banking applications. NexusRoute focuses on Indian citizens by distributing fake mParivahan and e-Challan apps through phishing sites and GitHub repositories, enabling credential theft, device surveillance, and unauthorized financial transactions. FvncBot, meanwhile, disguises itself as a banking-security app and exploits accessibility and VNC features to capture keystrokes, stream screens, and inject fraudulent transactions within genuine banking apps. These developments highlight the increasing sophistication and commercial availability of Android malware, posing significant risks to mobile users and financial institutions alike.
3 months agoAndroid Banking Trojans and Financial Malware Targeting User Data and Payments
Multiple new Android malware campaigns have been identified targeting users' financial data and payment methods. Researchers uncovered advanced banking trojans such as BankBot-YNRK and DeliveryRAT, which harvest sensitive information from compromised devices and employ sophisticated evasion techniques, including emulator detection and device-specific targeting. These trojans often masquerade as legitimate apps, such as Indonesia's digital ID application, and can mute device notifications to avoid detection by victims. In addition, a next-generation Android banking trojan has been observed hiding within digital ID apps, automating the theft of cryptocurrency wallets and evading analysis environments. A separate large-scale scam involves over 760 malicious Android apps exploiting NFC and HCE technologies to steal payment card data globally. These apps facilitate unauthorized transactions by leveraging contactless payment features. The surge in Android-targeted financial malware highlights the growing risk to users' banking credentials, payment cards, and cryptocurrency assets, with attackers employing increasingly sophisticated methods to bypass security controls and evade user awareness.
4 months agoAndroid Malware Campaigns Targeting Banking and Messaging Apps
A surge in Android malware campaigns has been observed across multiple regions, with attackers leveraging sophisticated droppers and SMS stealers to compromise user devices and drain bank accounts. Notably, the Wonderland dropper malware has been identified as hijacking Telegram sessions to facilitate unauthorized banking transactions, while other malware families such as Frogblight, NexusRoute, and Ajina.Banker are also implicated in recent attacks. These campaigns often distribute malicious APKs disguised as legitimate applications, with infection vectors including sideloading and direct delivery via messaging platforms like Telegram. In Uzbekistan, threat groups such as TrickyWonders, Blazefang, and Ajina have been linked to a wave of attacks using SMS stealer malware, exploiting Telegram's popularity to propagate infections and steal credentials. Security researchers have highlighted the evolving tactics of these actors, including the use of AES-based droppers and multi-stage payloads, underscoring the persistent threat posed by Android-targeted malware in both financial and personal data theft.
2 months ago