These Android Apps Are Spying on You and Stealing Your Money
How trojans gain control of smartphones through fake dialogs.
How trojans gain control of smartphones through fake dialogs.
Researchers at CYFIRMA have issued a warning about a new wave of attacks involving malicious Android apps disguised as official banking clients. These apps are designed to steal user data, intercept messages, and carry out unauthorized financial transactions. According to analysts, the malware primarily targets customers of Indian banks and employs advanced evasion and disguise techniques. The main malware is distributed through fake websites, messaging apps, phishing messages, and even counterfeit system updates.
Once installed, the app requests critical permissions and silently initiates hidden activity. The malware can read and send SMS, intercept one-time passcodes and notifications, monitor phone calls, and collect data about SIM cards. It uses Firebase as both a control channel and a repository for stolen data. It also employs auto-start mechanisms on device reboot to maintain persistence.
A notable aspect of this attack is its modular architecture. The malware consists of two components: a dropper and the main payload. First, an APK dropper is downloaded, which uses stealth installation methods while mimicking a legitimate app. Through a specially crafted interface, the user is then tricked into installing a second APK that contains the data-stealing functionality. This main component hides from the app list, shows no icon, and runs entirely in the background.
Social engineering plays a key role in the attack. Victims are shown fake input forms that perfectly mimic the interface of real banking apps. Even phone number and PIN length are validated to enhance the illusion of authenticity. Collected data — including CVV, card numbers, MPINs, and one-time codes — is sent to a Firebase cloud database. From there, attackers gain access to sensitive information and can remotely control the infected device.
Further analysis revealed that the malware can execute remote commands via push notifications, enable call forwarding, run USSD requests, and leverage system permissions to collect metadata. Using Firebase for command-and-control makes the infrastructure stealthy, as the service is free and doesn’t require authentication by default.
These malicious apps spread through various channels, including fake bank websites, SEO manipulation, infected third-party app stores, malicious QR codes, and NFC tags. Sometimes they masquerade as system utilities like fake Play Protect updates or battery managers. In certain cases, the malware may come pre-installed on cheap devices or spread via USB when attackers have physical access to a phone.
CYFIRMA experts urge users to disable app installations from unknown sources and avoid clicking suspicious links in SMS or messaging apps. They also recommend using EDR-class mobile security solutions capable of monitoring app behavior in real-time. For banks and telecom companies, they suggest integrating threat-based traffic filtering systems and actively monitoring abuse of cloud platforms.
Experts believe this campaign reflects a high level of attacker sophistication and highlights the vulnerability of the Android ecosystem due to the lack of centralized oversight. A single careless action by a user can lead to a complete compromise of their financial data.
