Cybersecurity researchers have uncovered a sophisticated mobile malware campaign called “FatBoyPanel” that targets users of Indian banks. The campaign, involving approximately 900 malware samples, operates by distributing malicious APK files through WhatsApp that impersonate legitimate government and banking applications. The latest threat emerges as India continues to strengthen its digital banking infrastructure, including the recent launch of its national cyber scammer database to combat digital fraud.
The malware specifically targets sensitive financial and personal information, including Aadhaar numbers, PAN cards, ATM PINs, credit and debit card details, and mobile banking login credentials. It employs three primary attack methods: SMS forwarding to attacker-controlled phone numbers, Firebase exfiltration for stolen SMS data, and a hybrid approach combining both methods. The attack is particularly concerning given India’s widespread adoption of Aadhaar-based authentication for financial services and government programs.
Researchers have identified over 1,000 malicious applications connected to this campaign. The exposed data, affecting approximately 50,000 users, includes bank account details and government-issued IDs. The stolen information was found to be publicly accessible through Firebase endpoints due to insufficient authentication mechanisms, highlighting the vulnerabilities in cloud-based storage systems.
Analysis of the attackers’ phone numbers shows a concentration in specific regions, with West Bengal, Bihar, and Jharkhand accounting for 63 percent of the registered numbers, suggesting a coordinated regional effort. The malware campaign enhances its credibility by replicating the app icons and interfaces of prominent Indian banks, exploiting the growing adoption of digital banking services in India.
“The reliance on one-time passcodes, delivered via SMS, underscores a critical weakness in multi-factor authentication,” says Jason Soroko, senior fellow at Sectigo. “OTPs are inherently vulnerable to interception and redirection, making them an insufficient defense against sophisticated attacks.” The vulnerability has been highlighted in recent incidents, including the “AuthQuake” MFA vulnerability that affected major authentication systems.
Security experts recommend downloading banking applications exclusively from official app stores and enabling multi-factor authentication. Users are advised against installing apps through unverified third-party sources and should use the Google Play Store, which includes security measures like Play Protect to detect harmful software. These recommendations support India’s broader efforts to secure digital transactions, including the implementation of stricter KYC requirements and biometric authentication measures.
Sources: InfoSecurity Magazine, GB Hackers, HackRead
Follow Us