Android Malware Campaigns Targeting Indian Users and Banking Apps
Researchers have identified new Android malware campaigns targeting users in India, with a focus on financial fraud and surveillance. The NexusRoute remote access trojan (RAT) was discovered impersonating the Indian e-Challan app and leveraging GitHub for distribution, enabling attackers to conduct UPI fraud and monitor victims' activities. In a separate but related campaign, the FvncBot Android banking trojan masquerades as a legitimate banking-security application, exploiting accessibility and VNC features to capture keystrokes, stream device screens, and inject fraudulent transactions directly from compromised devices.
Both malware strains are notable for their ability to operate within genuine banking apps, allowing them to bypass traditional security checks and evade detection. These campaigns highlight the increasing sophistication of mobile threats in India, particularly those targeting financial transactions and personal data. Security experts recommend minimizing app permissions, sourcing apps only from trusted platforms, and implementing real-time behavioral monitoring to mitigate the risks posed by such advanced mobile malware.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers discover FvncBot Android banking trojan
Researchers disclosed a new Android banking trojan named FvncBot that masquerades as a banking-security application. The malware abuses Android accessibility and VNC capabilities to capture keystrokes, stream screens, and inject fraudulent transactions from infected devices.
Researchers uncover NexusRoute Android RAT campaign
A new Android remote access trojan dubbed NexusRoute was identified targeting Indian users by impersonating the Indian E-Challan app. The malware was reported as being distributed via GitHub and used for UPI fraud and device surveillance.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
NexusRoute Uncovered: Android RAT Impersonates Indian E-Challan via GitHub for UPI Fraud & Surveillance
securityonline.info
Open sourceSpyware Malware Campaigns Target Messaging App Users, A Mobile Security Alert
zimperium.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Emergence of Advanced Android Malware Targeting App Stores and Banking Credentials
A new wave of Android malware is leveraging sophisticated techniques to evade detection and compromise user devices. The Cellik malware-as-a-service (MaaS) platform enables cybercriminals to create trojanized versions of legitimate Google Play Store apps, embedding malicious payloads while preserving the original app's interface and functionality. This approach allows attackers to bypass security controls such as Play Protect and remain undetected for extended periods. Cellik offers features including real-time screen streaming, notification interception, filesystem browsing, data exfiltration, and a hidden browser mode for session hijacking, all managed through an encrypted command-and-control channel. In parallel, other Android malware campaigns such as NexusRoute and FvncBot are targeting users by impersonating trusted government and banking applications. NexusRoute focuses on Indian citizens by distributing fake mParivahan and e-Challan apps through phishing sites and GitHub repositories, enabling credential theft, device surveillance, and unauthorized financial transactions. FvncBot, meanwhile, disguises itself as a banking-security app and exploits accessibility and VNC features to capture keystrokes, stream screens, and inject fraudulent transactions within genuine banking apps. These developments highlight the increasing sophistication and commercial availability of Android malware, posing significant risks to mobile users and financial institutions alike.
Mar 21, 2026
Android Banking Trojans and Financial Malware Targeting User Data and Payments
Multiple new Android malware campaigns have been identified targeting users' financial data and payment methods. Researchers uncovered advanced banking trojans such as BankBot-YNRK and DeliveryRAT, which harvest sensitive information from compromised devices and employ sophisticated evasion techniques, including emulator detection and device-specific targeting. These trojans often masquerade as legitimate apps, such as Indonesia's digital ID application, and can mute device notifications to avoid detection by victims. In addition, a next-generation Android banking trojan has been observed hiding within digital ID apps, automating the theft of cryptocurrency wallets and evading analysis environments. A separate large-scale scam involves over 760 malicious Android apps exploiting NFC and HCE technologies to steal payment card data globally. These apps facilitate unauthorized transactions by leveraging contactless payment features. The surge in Android-targeted financial malware highlights the growing risk to users' banking credentials, payment cards, and cryptocurrency assets, with attackers employing increasingly sophisticated methods to bypass security controls and evade user awareness.
Mar 21, 2026
Android Banking Trojans Spread via Fake Document Reader and KYC Apps
Researchers reported two Android banking malware campaigns using staged droppers to evade detection and steal financial data from mobile users. Zscaler ThreatLabz said a fake **Document Reader** app on Google Play was downloaded more than 10,000 times before removal and later fetched the **Anatsa** payload from a remote server, while CYFIRMA identified **KYCShadow** being distributed through fake KYC verification apps sent over WhatsApp to bank customers in India. In both cases, the initial apps appeared legitimate, then installed secondary malicious components designed to bypass early screening and analysis. Once deployed, the malware sought high-risk permissions to hijack accounts, intercept SMS-based one-time passwords, and overlay banking apps to capture credentials. Anatsa was reported to target more than **831 financial institutions** globally, including banks and cryptocurrency platforms, using obfuscation and anti-analysis techniques, while KYCShadow collected data such as mobile numbers, Aadhaar details, ATM PINs, and card information, then used Firebase Cloud Messaging and a full-tunnel VPN for command-and-control and traffic redirection. Researchers urged users to uninstall suspicious apps and avoid software delivered through messaging platforms, and advised defenders to monitor indicators including `jsonapi[.]biz`, `jsonserv[.]biz`, and `jsonserv[.]xyz`.
Apr 29, 2026