Minimal permissions are adequate for fraudulent Android financial applications


SonicWall Capture Labs Threat research team recently discovered a campaign requesting users to provide their card details on a fraudulent bank application under the pretense of claiming rewards points. Additionally, they persuade users to enable SMS-related permissions, the fraudulent application gains the capability to intercept and redirect One-Time Password (OTP) messages to the attackers’ server, giving them unauthorized access to the user’s banking credentials and potentially leading to fraudulent activities or financial loss.

The fraudulent app’s icon may closely resemble the original app’s icon in terms of color scheme, logo, and overall visual elements. This resemblance creates a false sense of trust and familiarity for unsuspecting users. They may not immediately recognize any visual discrepancies and may proceed with providing their card details without suspicion.

Fig1: Legitimate & malicious apps icon

Infection cycle:

The fraudulent apps utilize two crucial permissions.

  1. SMS permission: to read and identify incoming messages (2 Factor authentication for the bank).
  2. INTERNET permission: to establish an internet connection and send the collected card and SMS details to the attacker’s server.

After installation it proceeds to prompt the user to fill in their card details, enticing them with the promise of claiming rewards.

Fig2: Card details with random values


Fig3: Prompt for Card details


Fig4: Prompt for Card details


Fig5: Checks for SMS permission


Once the user shares their card details with the fraudulent app, it immediately initiates the process of transmitting this sensitive information to the attacker’s C&C server.

Fig6: Sharing card details with C&C server


Storing the user and card information in a local database located within the application system folder.

Fig7: Application system folder

Fig8: Storing user info in a local database


Read incoming messages on a device and save them in JSON format.

Fig9: Read incoming SMS


Fig10: Stores SMS info in a JSON format


It shares incoming message details with the C&C server.

Fig11: Sends SMS info to the C&C server


The file is detected by only a few security vendors on the popular threat intelligence sharing portal VirusTotal at the time of writing this blog, this indicates its spreading potential.

Fig12: VirusTotal image


SonicWall Capture Labs provides protection against this threat via the SonicWall Capture ATP w/RTDMI.

Indicators of Compromise (IOC):


















Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.