The malware, which can be remotely controlled by miscreants once it has infected a device, appears to be an updated version of an Android software nasty first observed in 2021. Back then it was seen robbing Indian bank customers. This latest variant has several additional backdoor capabilities and much better obfuscation, allowing it to stealthily steal victims' two-factor authentication (2FA) messages for bank accounts, account login details, and personally identifiable information (PII) without detection, we're told.
The Microsoft threat hunters' investigation began after receiving a text message claiming to be from India's ICICI bank's rewards program. It included the bank's logo, alerted the user that their loyalty points were about to expire, and instructed them to click on a malicious link.
Clicking on the link downloads a fake banking rewards app, which the Redmond team detected as carrying TrojanSpy:AndroidOS/Banker.O. When run, it asks the user to enable specific permissions, and then asks for the user's credit card details to harvest along with all the other data it be instructed to steal. One hopes being asked for card information right off the bat is a red flag for most people.