Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

How a Phishing Campaign Targeting Indian Banking Users is Distributing an SMS Stealer

Scammers are always coming up with new, more sophisticated social engineering techniques to collect user credentials for financial benefit. However, when it comes to banking websites, capturing login credentials via a phishing campaign often isn’t enough for cybercriminals.

Due to the implementation of two-factor authentication by most banking sites, which includes receiving a one-time password on a registered mobile number, transactions have become more secure. However, in parallel, attackers have also found ways to bypass this two-factor authentication implementation by stealing the user’s phone messages.

Zscaler’s ThreatLabz researchers recently discovered a sophisticated phishing campaign targeting customers of top Indian banks like State Bank of India, Punjab National Bank, Union Bank, HDFC, and Canara. The well-designed phishing pages are difficult to distinguish from legitimate sites and aim to collect all the customer’s banking credentials including account holder name, registered mobile number, account number/card number, ATM pin, IFSC code, and expiry date. The end goal of capturing this information is to install a malicious SMS stealer that monitors the messages on the infected mobile/tablet, and communicates with a C2 server whenever the customer receives an SMS.

Analysis of a phishing campaign:

The homepage depicts a customer support form for submitting queries. The user is asked to enter their name, phone number, and reason for the failed transaction as shown in the figure below.




Fig 1. Phishing Home Page


In the next step, the user is asked to enter an account number, which can be used to log in to an online banking account.




Fig 2. Refund Mode Confirmation


The next step prompts the user to enter an account number (probably to confirm the correct account number) and IFSC code field and to check the bank account branch.




Fig 3.  Prompt for Account No. & IFSC code

After that, it is required to enter the CIF No. and the card expiry date. The customer identification file, or CIF number in general, is an electronic, 11 digit number that contains all the personal information of the customers.



Fig 4. Prompt for CIF number and Expiry Date


After that, the phishing page asks users to enter their ATM PIN as shown in the screenshot below.




Fig 5. Prompt for ATM Pin

In the last step, an app gets downloaded on the user’s device and a message is displayed for the user to wait until the download starts.




Fig 6. Malicious APK download 

Here are a few more campaigns with the same phishing techniques targeting other Indian bank users.




Fig 7. A phishing campaign targeting Punjab National Bank users.




Fig 8. A phishing campaign targeting BHIM UPI users


Analysis of Android SMS Stealer:

    The downloaded app is a basic SMS stealer which portrays itself as a banking support app using the name SBI Quick Support and has the official logo of the targeted bank. 



Fig 9. Malware portraying itself as SBI Quick Support App


Once installed, the app asks for permission to send/view messages from the phone as shown in the figure below.




Fig 10. Screenshot and code snippet for SMS permission

The malware also achieves persistence in the infected device by setting RECEIVE_BOOT_COMPLETED permission so that it can start itself after the device reboots.




Fig 11. Code snippet for Autostart configuration


If any of the permissions get denied, the malware displays an alert dialog to manipulate the user into granting permission.




 Fig 12. Code snippet for displaying alert dialog


Lastly after all the permissions are granted, the malware displays a fake form for submitting a complaint number. Meanwhile, in the background, it monitors all the incoming messages.




Fig 13. Screenshot and code snippet for displaying fake form


As soon as any message is received on the victim’s phone, the malware performs exfiltration of the received message with some other device information to the C2 server stored statically in the code via a POST request.




Fig 14. C2 URL stored in a variable




Fig 15. Cloud Sandbox report for SMS Stealer




Android powers hundreds of millions of mobile devices around the world. It's the largest installed base of any mobile platform and growing fast, and attackers are taking advantage of this by targeting Android users.

Due to Android flexibility and ease of use, there has been an increase in the use of mobile banking applications, and users are accidentally installing malicious apps such as the stealer mentioned above. Some best practices to protect Android users are:

  • Only install apps from official stores, such as Google Play.
  • Never click on unknown links received through ads, SMS messages, emails, or from any other messaging applications.
  • Always keep the "Unknown Sources" option disabled on your Android device. This option will prevent applications from installing from unknown sources.

Package Names:

























MD5 Hashes:















MITRE ATT&CK Techniques:



Tag ID

Access Stored Application Data


Capture SMS Messages


System Network Connections Discovery


System Information Discovery


Application Layer Protocol


Carrier Billing Fraud


form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.