Mobile security firm Zimperium has uncovered a broad malicious campaign targeting Android users in India to steal personal and banking information.
Dubbed FatBoyPanel, the campaign has included the use of more than 1,000 malicious applications for information theft, and differs from typical mobile-focused malicious campaign by using live phone numbers for text message redirection, instead of command-and-control (C&C) servers for one-time password (OTP) theft.
According to Zimperium, the attacks are orchestrated by a single threat actor that has used approximately 1,000 phone numbers to harvest user information. The company also identified roughly 900 malware samples associated with the campaign, primarily focusing on users of Indian banks.
“Analysis of the collected samples reveals shared code structures, user interface elements, and app logos, suggesting a coordinated effort by a single threat actor targeting mobile devices running the Android OS,” Zimperium said in a research note.
The company said it found more than 220 publicly accessible Firebase storage buckets in which the threat actor has stored 2.5 gigabytes of information such as SMS messages from banks, card and banking details, and government ID data, and estimates that 50,000 users have been compromised.
The campaign relied on WhatsApp for the distribution of APK files posing as government or banking applications, but which installed malware instead, tricking users into disclosing their sensitive information.
“The malware exploits SMS permissions to intercept and exfiltrate messages, including OTP’s, facilitating unauthorized transactions. Additionally, it employs stealth techniques to hide its icon and resist uninstallation, ensuring persistence on the compromised devices,” Zimperium said.
The compamy said the malicious application exfiltrate victims’ by capturing and forwarding SMS messages, by sending the stolen messages to Firebase databases acting as C&C servers, or by combining the two techniques.
The applications feature hard-coded phone numbers to which they exfiltrate OTPs and SMS messages, “suggesting that these numbers are either directly controlled by the attackers or belong to compromised individuals under their control.”
The cybersecurity firm also discovered that the Firebase databases storing the stolen information lacked an authentication mechanism, meaning they were accessible to anyone, exposing administrator details and the phone numbers used for exfiltration.
By accessing the attackers’ administrative dashboard, Zimperium discovered the phone numbers used in the attacks, and concluded that it enabled multiple users to operate the campaign. Zimperium tracked the hard-coded phone numbers to specific regions in India, such as West Bengal, Bihar, and Jharkhand.
“Based on our current detection, no apps containing this malware are found on Google Play. Android users have been automatically protected against known versions of this malware by Google Play Protect since 2024. Google Play Protect is on by default on Android devices with Google Play Services, and can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play,” a Google spokesperson said in an emailed statement.
*Updated with statement from Google.
Related: FireScam Android Malware Packs Infostealer, Spyware Capabilities
Related: Is XDR Enough? The Hidden Gaps in Your Security Net
Related: Security Flaw Found in 2G Mobile Data Encryption Standard
Related: Cybercriminals Steal Millions by Spoofing Thousands of Mobile Devices
