ANY.RUN<p>🚨 ALERT: Banking Apps Under Attack: Credentials Hijacked via Telegram <br>⚠️ A <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>malware</span></a> dropper delivers a stealer disguised as the IndusInd Bank app. It embeds a phishing website inside the Android app to steal victims’ financial data, posing a threat to mobile banking users and financial institutions. </p><p>🔍 Analysis: <a href="https://app.any.run/tasks/fe800ccb-fccc-42a6-a11d-a3d2b6e89edf/?utm_source=mastodon&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoservice" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/tasks/fe800ccb-fcc</span><span class="invisible">c-42a6-a11d-a3d2b6e89edf/?utm_source=mastodon&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoservice</span></a></p><p>The malware tricks users into entering their sensitive information (registered mobile number, Aadhaar number, PAN card, net banking user ID, etc.) through a fake banking interface embedded in the app. </p><p>📥 Once submitted, the stolen data is sent to both the <a href="https://infosec.exchange/tags/phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>phishing</span></a> site and a C2 server controlled via Telegram. </p><p>The AndroidManifest.xml shows that the dropper APK has permissions to install applications. The <a href="https://infosec.exchange/tags/dropper" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>dropper</span></a> contains base.apk, the malicious <a href="https://infosec.exchange/tags/payload" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>payload</span></a>, and is responsible for dropping and executing it. </p><p>👨💻 Our new <a href="https://infosec.exchange/tags/Android" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Android</span></a> sandbox allows <a href="https://infosec.exchange/tags/SOC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SOC</span></a> teams reveal base.apk behavior: communication via Telegram, starting from another location, monitoring incoming messages, and more. Fast access to threat details enables deep analysis and proactive response, mitigating potential damage. </p><p>The APK is obfuscated, with all strings <a href="https://infosec.exchange/tags/XOR" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>XOR</span></a>-encrypted with the ‘npmanager’ key. The CyberChef recipe below reveals the script that sends intercepted data to Telegram: <a href="https://gchq.github.io/CyberChef/#recipe=From_Hex%28%27Auto%27%29XOR%28%7B%27option%27%3A%27UTF8%27%2C%27string%27%3A%27npmanager%27%7D%2C%27Standard%27%2Cfalse%29%26oeol%3DNEL" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">gchq.github.io/CyberChef/#reci</span><span class="invisible">pe=From_Hex%28%27Auto%27%29XOR%28%7B%27option%27%3A%27UTF8%27%2C%27string%27%3A%27npmanager%27%7D%2C%27Standard%27%2Cfalse%29%26oeol%3DNEL</span></a> </p><p><a href="https://infosec.exchange/tags/IOCs" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>IOCs</span></a>: <br><a href="https://infosec.exchange/tags/Phish" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phish</span></a> URL: hxxps://t15[.]muletipushpa[.]cloud/page/ <br>C2 Server (Telegram Bot): hxxps://api[.]telegram[.]org/bot7931012454:AAGdsBp3w5fSE9PxdrwNUopr3SU86mFQieE </p><p>More IOCs and insights will be shared in our blog post. Let us know if you're interested! 💬 </p><p>🚀 Expose Android threats in seconds with real-time APK analysis in <a href="https://infosec.exchange/tags/ANYRUN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ANYRUN</span></a> Sandbox: <a href="https://app.any.run/?utm_source=mastodon&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoregistration#register/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">app.any.run/?utm_source=mastod</span><span class="invisible">on&utm_medium=post&utm_campaign=android_banking_app&utm_term=200325&utm_content=linktoregistration#register/</span></a> </p><p><a href="https://infosec.exchange/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.
Administered by:
Server stats:
290active users
shakedown.social: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#xor
0 posts · 0 participants · 0 posts today
Jason H. Moore, Ph.D.<p>Two interesting XOR circuits inside the Intel 386 processor <a href="https://www.righto.com/2023/12/386-xor-circuits.html" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">righto.com/2023/12/386-xor-cir</span><span class="invisible">cuits.html</span></a> <a href="https://mastodon.online/tags/xor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>xor</span></a> <a href="https://mastodon.online/tags/intel386" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>intel386</span></a> <a href="https://mastodon.online/tags/retrocomputing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>retrocomputing</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload