HQ/EMEAFind out how we can help your business
Cybersecurity experts have uncovered a large-scale malicious campaign targeting Android users in India, leading to the theft of personal and financial information from tens of thousands of victims. Security researchers revealed that the attack involved over 1,000 malicious applications specifically designed to steal sensitive data from Android users.
The campaign, known as FatBoyPanel, stands out due to its use of live phone numbers to redirect text messages, including one-time passwords (OTPs), rather than relying on traditional command-and-control (C&C) servers. Cybercriminals behind the operation are believed to be a single individual or group that used approximately 1,000 phone numbers to carry out the attack.
The investigation uncovered nearly 900 unique malware samples, primarily targeting users of Indian banks. Researchers found that the malicious apps shared similar code structures, user interface elements, and logos, indicating an organised attack by a single threat actor.
The malware was primarily distributed through WhatsApp, where Android users were tricked into downloading APK files disguised as government or banking apps. Once installed, the malicious applications requested SMS permissions, enabling them to intercept and exfiltrate messages, including OTPs. This access allowed the attackers to perform unauthorised financial transactions using stolen data.
Zimperium’s research revealed that the stolen data was stored in 220 publicly accessible Firebase storage buckets. The compromised data, totalling around 2.5 gigabytes, includes a wide range of sensitive information such as SMS messages from banks, card and banking details, and government ID data.
It is estimated that around 50,000 Android users have fallen victim to this campaign.
The malware employs advanced stealth tactics to ensure persistence on compromised devices. It hides its icon and resists uninstallation, making it difficult for victims to detect or remove it. The malware also sends stolen SMS messages to Firebase databases functioning as C&C servers, further complicating detection efforts.
This campaign demonstrates the increasing sophistication of fraudsters targeting Android users in India. Users should be cautious, especially when downloading APK files using messaging apps like WhatsApp. Users should only download programs from reliable sources, such as Google Play Store, and stay away from third-party downloads to lower their chances of being victims of such attacks.
Regular device checks and security updates are essential for Android users to detect and prevent malicious activity on their devices.
