A significant security flaw has been identified in the YONO SBI banking application, potentially exposing millions of users to cyber threats. The vulnerability, designated as CVE-2025-45080, affects version 1.23.36 of the YONO SBI: Banking & Lifestyle app and arises from insecure network configuration settings that permit unencrypted data transmission.
Understanding the Vulnerability
The core issue lies in the app’s AndroidManifest.xml file, where the setting `android:usesCleartextTraffic=true` is present. This configuration allows the application to transmit data over unencrypted HTTP connections, contravening modern security best practices for financial applications. Consequently, the app bypasses Android’s default security mechanisms designed to protect user data.
Potential Exploitation
Security researcher Ishwar Kumar, who discovered the vulnerability, demonstrated that it can be exploited through a relatively straightforward process. By decompiling the APK using tools like APKTool and examining the application manifest, researchers can confirm the presence of the insecure configuration. Network analysis tools such as Burp Suite or Wireshark can then intercept and monitor the unencrypted traffic between the app and its servers.
This configuration violates Android’s security guidelines for apps targeting API level 28 (Android 9) or higher, where cleartext traffic is disabled by default. The vulnerability creates multiple attack vectors, including eavesdropping on sensitive communications, data tampering during transmission, and, most critically, man-in-the-middle (MITM) attacks, where malicious actors can position themselves between users and legitimate banking servers.
Implications for Users
The cybersecurity community has classified this vulnerability as having a High impact rating, which is particularly concerning given the sensitive nature of banking applications. Financial institutions typically handle highly sensitive data, including personal identification information, account numbers, transaction details, and authentication credentials. When such data is transmitted over unencrypted channels, it becomes vulnerable to interception by cybercriminals operating on the same network infrastructure.
Man-in-the-middle attacks enabled by this vulnerability could allow attackers to capture login credentials, monitor financial transactions, and steal personal information. This risk is heightened when users access the app over unsecured networks, such as public Wi-Fi hotspots, where attackers can more easily intercept data.
Broader Context of Security Concerns
This vulnerability is not an isolated incident. In recent years, banking applications have increasingly become targets for cybercriminals. For instance, the BlackRock malware discovered in 2020 had the capability to steal data from 337 apps, including YONO Lite SBI, Netflix, and Uber. Once installed, BlackRock monitored when targeted apps were opened and overlaid fake login screens to steal user credentials. The stolen data was then sent to a server controlled by the attackers. ([zeebiz.com](https://www.zeebiz.com/technology/news-alert-new-malware-can-steal-passwords-card-data-from-337-apps-including-yono-lite-sbi-uber-full-list-131401?utm_source=openai))
Additionally, in 2021, SBI account holders in Kerala were duped by online fraudsters who sent bogus text messages claiming that their accounts had been blocked. These messages directed users to fake websites resembling the official SBI site, where they were prompted to enter sensitive information, leading to unauthorized access to their accounts. ([onmanorama.com](https://www.onmanorama.com/content/mm/en/kerala/top-news/2021/10/08/sbi-account-holders-duped-yono-app-hacked.html?utm_source=openai))
SBI’s Response and User Recommendations
In response to these security challenges, the State Bank of India has been proactive in issuing alerts and guidelines to its customers. The bank has advised users to:
– Install the YONO SBI/YONO Lite mobile app only from official sources like the Play Store or App Store.
– Regularly change passwords and MPINs.
– Keep devices free from malware and adware.
– Use ‘https’ before typing a URL in the browser address bar for Online SBI.
– Click the padlock symbol in the address or status bar of Online SBI to view and verify the security certificate.
– Refer to the bank’s official website to know details about authorized WhatsApp/call center numbers.
Customers are also advised to note that the web portal of YONO was discontinued on December 1, 2021, and YONO SBI can now be accessed only through the app available on the Play Store or App Store. Additionally, users should avoid providing access to any apps with remote access or SMS forwarding capabilities while using Online SBI or YONO SBI/YONO Lite app. ([news18.com](https://www.news18.com/business/sbi-yono-online-banking-safety-tips-8439205.html?utm_source=openai))
Technical Measures and Future Steps
To mitigate such vulnerabilities, it is crucial for developers to adhere to secure coding practices and conduct thorough security assessments. Ensuring that applications do not allow cleartext traffic is a fundamental step in protecting user data. Regular updates and patches should be provided to address any identified vulnerabilities promptly.
Users should remain vigilant and adopt best practices for online security, such as avoiding the use of banking applications over unsecured networks, regularly updating apps and operating systems, and being cautious of unsolicited messages or links requesting personal information.
In conclusion, while digital banking offers convenience, it also necessitates heightened awareness and proactive measures from both financial institutions and users to safeguard sensitive information against evolving cyber threats.
