ANY.RUN<p>🚨 ALERT: Banking Apps Under Attack: Credentials Hijacked via Telegram <br>⚠️ A <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> dropper delivers a stealer disguised as the IndusInd Bank app. It embeds a phishing website inside the Android app to steal victims’ financial data, posing a threat to mobile banking users and financial institutions. </p><p>🔍 Analysis: <a href="https://app.any.run/tasks/fe800ccb-fccc-42a6-a11d-a3d2b6e89edf/?utm_source=mastodon&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/fe800ccb-fcc</span><span class="invisible">c-42a6-a11d-a3d2b6e89edf/?utm_source=mastodon&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoservice</span></a></p><p>The malware tricks users into entering their sensitive information (registered mobile number, Aadhaar number, PAN card, net banking user ID, etc.) through a fake banking interface embedded in the app. </p><p>📥 Once submitted, the stolen data is sent to both the <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> site and a C2 server controlled via Telegram. </p><p>The AndroidManifest.xml shows that the dropper APK has permissions to install applications. The <a href="https://infosec.exchange/tags/dropper" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dropper</span></a> contains base.apk, the malicious <a href="https://infosec.exchange/tags/payload" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>payload</span></a>, and is responsible for dropping and executing it. </p><p>👨💻 Our new <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Android</span></a> sandbox allows <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a> teams reveal base.apk behavior: communication via Telegram, starting from another location, monitoring incoming messages, and more. Fast access to threat details enables deep analysis and proactive response, mitigating potential damage. </p><p>The APK is obfuscated, with all strings <a href="https://infosec.exchange/tags/XOR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XOR</span></a>-encrypted with the ‘npmanager’ key. The CyberChef recipe below reveals the script that sends intercepted data to Telegram: <a href="https://gchq.github.io/CyberChef/#recipe=From_Hex%28%27Auto%27%29XOR%28%7B%27option%27%3A%27UTF8%27%2C%27string%27%3A%27npmanager%27%7D%2C%27Standard%27%2Cfalse%29%26oeol%3DNEL" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gchq.github.io/CyberChef/#reci</span><span class="invisible">pe=From_Hex%28%27Auto%27%29XOR%28%7B%27option%27%3A%27UTF8%27%2C%27string%27%3A%27npmanager%27%7D%2C%27Standard%27%2Cfalse%29%26oeol%3DNEL</span></a> </p><p><a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a>: <br><a href="https://infosec.exchange/tags/Phish" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phish</span></a> URL: hxxps://t15[.]muletipushpa[.]cloud/page/ <br>C2 Server (Telegram Bot): hxxps://api[.]telegram[.]org/bot7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE </p><p>More IOCs and insights will be shared in our blog post. Let us know if you're interested! 💬 </p><p>🚀 Expose Android threats in seconds with real-time APK analysis in <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a> Sandbox: <a href="https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoregistration#register/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/?utm_source=mastod</span><span class="invisible">on&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoregistration#register/</span></a> </p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>