A new Android banking trojan is rapidly spreading through WhatsApp, disguising itself as a mandatory “Banking KYC” verification update. By exploiting urgency and trust, cybercriminals are tricking users into installing malicious apps that can completely compromise their devices.
The attack begins with a deceptive message urging users to complete their KYC verification. Once the app is installed, it quietly deploys a second, more dangerous payload. This hidden app runs in the background without an icon, making it almost invisible to the user.
What makes this malware particularly dangerous is its multi-layered design. It uses a two-stage dropper system to avoid detection and hides critical information—like command-and-control servers and encryption keys—inside obfuscated native code. This makes it extremely difficult for security researchers to analyze.
The trojan also creates a fake VPN connection on the infected device. This allows attackers to monitor all internet traffic, intercept sensitive communications, and even bypass certain mobile security protections.
To maintain control, the malware requests permission to ignore battery optimization settings, ensuring it runs continuously. It also leverages Firebase Cloud Messaging to receive commands in real time. This enables attackers to read SMS messages, extract inbox data, make calls, and even execute USSD codes to manipulate call forwarding.
Once fully active, the malware launches a convincing phishing interface using a WebView that mimics official banking KYC pages. Victims are guided through a step-by-step process where they unknowingly enter highly sensitive details such as ATM PINs, Aadhaar numbers, and debit or credit card information.
The campaign appears to be heavily targeted toward Indian users, particularly focusing on banking and identity data. Its increasing sophistication from simple obfuscation techniques to advanced native code concealment—highlights the growing capabilities of organized cybercrime groups.
This attack serves as a strong reminder for users to avoid installing apps from unknown sources and to remain cautious of urgent KYC requests received via messaging platforms like WhatsApp.
Recommended Cyber Technology News:
- Kaspersky Reveals Qualcomm Chip Vulnerability Risking Device Control
- OmniTrust Expands AutoAuth With Certified Programs
- ArmorText Introduces Field Notes to Drive Cybersecurity Collaboration
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
