The “Banking KYC” Android Malware Campaign Targeting Indian Users
A sophisticated new Android malware campaign is currently circulating via WhatsApp, masquerading as an essential “Banking KYC” (Know Your Customer) verification application. Specifically targeting the Indian banking sector, this threat utilizes social engineering and advanced technical evasion to hijack mobile devices and facilitate large-scale financial fraud.
The attack vector is simple but effective: victims receive a WhatsApp message claiming their bank account is at risk of being blocked unless they complete an urgent KYC update. The message includes an APK file that, once installed, initiates a deceptive “Update Required” full-screen overlay. This overlay serves a dual purpose: it creates the illusion of a legitimate in-app update while masking the installation of highly malicious secondary payloads.
According to recent research by CYFIRMA, this operation is not a simple phishing attempt but a multi-stage infection chain that uses native code obfuscation to hide its true intent: intercepting SMS, controlling cellular calls, and executing USSD commands to drain bank accounts.
When a user clicks “Install Update,” the malware triggers a cascading series of permission requests. It first requests to establish a VPN connection, followed by the permission to “install unknown apps.” This allows the initial loader to silently deploy a hidden, secondary APK in the background without the user ever seeing a new icon in their app drawer.
Technical Analysis: Multi-Stage Droppers and Native-Layer Obfuscation
The primary application (packaged as com.***appad.andr) functions strictly as a sophisticated loader. It utilizes a non-exported InstallReceiver to monitor system events like PACKAGE_ADDED, ensuring it can react immediately once the environment is ready for the next stage.

To bypass static analysis, the malware employs a clever decryption routine. It embeds an encrypted APK asset and derives a 32-byte XOR key directly from its own package name. This key is used to decrypt the payload at runtime, which is then written to a temporary, obfuscated filename within the app’s private storage. Using a PackageInstaller session-based flow, the malware installs the secondary payload (com.am5maw3.android) silently, minimizing the friction that typically alerts a user to a new installation.
The developers have also moved critical intelligence out of the standard Java/Kotlin layers to evade automated sandboxes. By utilizing the Java Native Interface (JNI), the malware stores its command-and-control (C2) URLs, encryption keys, and agent identifiers within a native library (libnative-lib.so). For instance, the primary backend endpoint (https[:]//jsonapi[.]biz) and the agent ID (XGEKKWB3) are reconstructed character-by-character at runtime, making them invisible to standard string-searching tools.
Furthermore, the malware registers a custom SecureVpnService to establish a full-tunnel VPN. By routing all device traffic through a local address (10.0.0.2) and using Google DNS (8.8.8.8), the attackers gain a powerful “man-in-the-middle” position on the device.

This network hijacking isn’t just for surveillance; it acts as a defensive shield. By controlling the network layer, the malware can intercept and disrupt telemetry sent to security services, effectively degrading the efficacy of Google Play Protect and other reputation-based security tools.
Once the connection is established, the malware utilizes Firebase Cloud Messaging (FCM) to receive remote commands. Commands routed to AgentCore.ProcessCommand allow the attacker to execute a wide array of functions, including SET_SMS_FORWARD, RUN_USSD, and MAKE_CALL, essentially turning the smartphone into a remote-controlled fraud terminal.

Telephony Exploitation and Polished Phishing Flows
The secondary payload’s primary objective is the theft of financial credentials. It uses Unicode-based obfuscation (e.g., ṩỹṧ꙱ṫḗṃ.tmp) for its working files to further confuse forensic investigators. A high-priority SMS receiver is deployed to intercept incoming messages, reconstruct PDUs, and immediately forward OTPs to the attacker’s backend.
Beyond real-time interception, the malware can perform “bulk dumps” of the entire SMS inbox and use the TelecomManager API to initiate outbound calls or trigger USSD codes to manipulate call forwarding settings.
To collect user credentials, the malware utilizes a highly polished, “humanized” phishing interface built with a statically bundled Next.js frontend running inside a Capacitor WebView. This interface systematically guides victims through a fake KYC process to harvest:
- Mobile numbers and ATM PINs.
- Aadhaar numbers and dates of birth.
- Full credit/debit card details (Number, Expiry, CVV, and PIN).

The campaign appears to be an evolution of previous “RTO e-Challan” fraud operations. The infrastructure shows a clear lineage of domain evolution: from jsonserv[.]xyz to jsonserv[.]biz, and finally to the current jsonapi[.]biz. This modular approach allows the threat actors to maintain persistence even as individual domains are flagged by security vendors.
Indicators of Compromise (IOCs)
Security professionals and mobile device management (MDM) administrators should monitor for the following indicators:
| Indicator | Type | Remarks |
|---|---|---|
34479b18597f1a0deb5d55b8450bc21af1d1f638c4ceca1ee19e6f5ac89d6be2 |
SHA-256 | Initial Dropper |
1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb |
SHA-256 | Secondary Malicious APK |
jsonapi[.]biz |
Domain | Primary C2 Infrastructure |
jsonserv[.]biz |
Domain | Legacy C2 Infrastructure |
jsonserv[.]xyz |
Domain | Legacy C2 Infrastructure |