In recent months, a sophisticated Android malware campaign has emerged, specifically targeting students in Bangladesh. These malicious applications masquerade as legitimate scholarship programs, purportedly endorsed by the Bangladesh Education Board, and promise financial aid to unsuspecting users. The primary objective of these fraudulent apps is to harvest personal and financial information, intercept SMS messages, and exploit device permissions to conduct unauthorized banking transactions.
Distribution Tactics
The perpetrators employ smishing (SMS phishing) techniques to distribute these malicious applications. Students receive SMS messages containing links that redirect them to malicious APK hosting sites such as appsloads.top and downloadapp.website. The deceptive nature of these messages, often adorned with official logos and academic terminology, lowers the recipients’ guard, increasing the likelihood of installation.
Installation and Data Harvesting
Upon installation, the app prompts users to sign in via Google or Facebook and requests sensitive details, including full name, department, and institute affiliation. This initial stage of social engineering is crucial for building trust and collecting information necessary for subsequent attacks.
Permission Exploitation
After harvesting credentials, the malware requests high-risk permissions, including Accessibility Service, SMS access, overlay, and call management rights. Once granted, the app registers an SMSBroadcastReceiver to capture incoming texts containing keywords associated with major Bangladeshi banks (e.g., bkash, NAGAD, MYGP) and specific USSD service codes. The intercepted messages are then forwarded to a Firebase-hosted command and control (C2) server, enabling remote attackers to coordinate further malicious activities.
Automated Banking Transactions
Upon successful permission escalation, the malware, identified as SikkahBot, enters its most dangerous phase: automated banking transactions. Exploiting the Accessibility Service, the malware continuously monitors foreground applications. When it detects targeted banking apps such as bKash, Nagad, or Dutch-Bangla Bank, it retrieves one-time PINs from the C2 server. This routine allows automated login without user interaction.
If banking apps are inactive, the malware executes USSD codes received from the server, filling input fields and invoking buttons labeled SEND or OK within the USSD dialog to initiate fund transfers without an active internet connection.
Infection Mechanism and Persistence
SikkahBot’s infection mechanism is a blend of social engineering and stealthy permission abuse. After the initial APK installation, the malware copies its APK file to a hidden directory and registers as a device administrator, ensuring that uninstallation attempts prompt administrative lock notifications. It injects receiver components into the AndroidManifest.xml to persist across reboots and periodically contacts the Firebase C2 endpoint to fetch new modules.
By abusing the Accessibility Service, the malware can re-enable its own services if they are disabled by security-conscious users. The combination of persistent device administrator rights, manifest-declared receivers, and periodic C2 polling makes SikkahBot exceptionally resilient against removal and detection.
Recommendations for Users
To protect against such threats, users are advised to:
– Verify Sources: Only download applications from official and reputable sources.
– Be Cautious with Permissions: Scrutinize the permissions requested by applications and avoid granting high-risk permissions unless absolutely necessary.
– Stay Informed: Keep abreast of the latest cybersecurity threats and tactics employed by malicious actors.
– Use Security Solutions: Employ reputable mobile security solutions to detect and prevent malware infections.
By remaining vigilant and adopting these practices, users can significantly reduce the risk of falling victim to such sophisticated malware campaigns.
