Cyber-security researchers on Thursday said they have spotted a new phishing campaign that is targeting banking consumers in India via SMS forwarding apps.
The phishing site collects victim's banking credentials and personal identifiable information (PII), post which an Android SMS forwarding malware is downloaded to their devices, according to AI cyber-security firm CloudSEK.
The research team discovered several domains with the same modus operandi and templates.
"The banks should also take responsibility in raising awareness about such scams and educate their customers to prevent monetary as well as reputation loss," said Anshuman Das, Cyber Threat Researcher at CloudSEK.
As part of the hackers' modus operandi, the victims first fill out sensitive banking information such as card number, CVV number, and expiry date, on the fake complaint portal.
After the banking information is exploited, a malicious customer support application gets downloaded to the victim's devices.
"No logos or names of the Indian banks have been used in these phishing websites, in order to avoid suspicion and detection. Moreover, the malicious customer support application is not hosted on the Google Play Store or any of the third-party application stores," said the researchers.
The malicious application is then used to send all the incoming SMS to the scammer's C2 (command and control) server.
"Even if a user's accounts are secured by multi-factor authentication, threat actors can still use the app to gather private information, conduct illicit activities on the users' banking accounts, and access their other accounts," the researchers warned.
Researchers from CloudSEK discovered and examined an Android app that pretends to be a bank customer service app. This application requests the user for two permissions on their device to receive SMS and send SMS.
The application's source code is revealed to be available on Github. The application does not have any obfuscation or evasion mechanisms that makes it difficult for antivirus or other solutions to detect it.
After the app has been installed on a victim's mobile phone, any SMS containing an OTP received on the device is redirected to the target phone controlled by the threat actor, the report mentioned.
"It is important to be extra cautious when installing new applications. Download apps from reputable app stores like the Google Play store and the App Store only. After installing any application, be careful while granting permissions," said Das.