Researchers Uncover BTMOB Malware Capable of Taking Over Android Phones cysecurity.news/2026/06/rese… #AndroidMalware #AndroidSecurity #BTMOBMalware

NFCShare Android malware spreads via fake banking app updates on GitHub reconbee.com/nfcshare-androi… #NFCShare #androidmalware #fakebanking #GitHub #cyberattack

Fake banking app updates hosted on GitHub are being used to spread the NFCShare Android malware, targeting users with convincing impersonations of legitimate banking apps. #CyberSecurity #AndroidMalware #MobileSecurity #BankingSecurity #ThreatIntelligence

ICICI Bank Phishing site #Phishing site impersonating ICICI Bank lure victims with expiring reward points worth ₹4,925. hxxps://www.getrewardslogin[.]online Analysis of the JavaScript reveals credential harvesting via a Firebase backend. The phishing flow collects Aadhaar, PAN, DOB, address, mobile number, email, card details, ATM PIN, and OTPs. The site also push an APK file. The downloaded APK is likely intended for credential theft and further device compromise. File hash: 5af77b5f5d014162cd3bf43314ebb91f39658c5be335c1efff7c9564e298e719 IOCs: getrewardslogin[.]online vishuicmix[.]firebaseapp[.]com vishuicmix[.]firebasestorage[.]app /public/rathd/rewards.apk /public/apkhd/rewards.apk #Phishing #AndroidMalware @ICICIBank @Cyberdost @IndianCERT

Always comical when malware authors leave a message for when the binary is eventually analyzed 😄 Context: Android ransomeware with loaded JNI native code, message was left in a native library. Analyzed on: openapk.ai #android #androidmalware #malware

They Scammed Money from My Friend’s Uncle with a Fake Axis Bank App, So I Reverse-Engineered the Android RAT Behind It One month ago, my friend’s uncle received a call from someone pretending to be from “Axis Bank.”
 They claimed there was a security issue with his account and convinced him to install a “mandatory update” app. That “update” was not an update.
 It was a stealth Android Remote Access Trojan disguised as a flashlight app:
 com.bitmavrick.lumolight By the time we caught it, the attackers had already withdrawn money from his bank account.
 When my friend noticed suspicious OTP spam and unusual activity, she called me.
 I exported the APK, moved it to my PC, and started reverse-engineering it solo.
 What looked like a normal utility app turned out to be a staged banking malware chain.
 The first-stage app used native JNI code as a bootstrapper and hid the real logic behind encrypted assets. It used AES/CBC asset decryption, where the key was derived from the asset filename plus "1".
 Once decrypted, it loaded the next payload in memory using: dalvik.system.InMemoryDexClassLoader
 It also had anti-analysis checks using: https://api[.]ipapi[.]is/
 The app checked for VPN, TOR, proxy, datacenter IPs, and suspicious analysis conditions to avoid researchers and sandboxes.
 Inside the hidden payload, I found another package: com.rolv.saxonnaias This showed a fake Axis Bank update screen to make the scam look legitimate. But in the background, it installed real payloads: Sam[.]AxisBank[.]Mobile and a companion app:
 com[.]kh[.]guamanianprediction
 The capabilities were dangerous: SMS interception
Notification capture
SIM information theft
Device information collection
OTP monitoring
Remote call forwarding using USSD commands
Remote control through cloud config The attackers controlled infected devices using Firebase Realtime Database. I found Firebase nodes for device info, call forwarding, SMS forwarding, dynamic Telegram config, bot token, chat ID, and command values. For exfiltration, the malware used Telegram Bot API methods like: sendMessage
sendDocument
sendPhoto
 The full chain was clear:
 Fake bank call → victim installs fake app → staged loader decrypts hidden payload → payload collects sensitive data → attacker controls device using Firebase → stolen data goes to Telegram → money gets withdrawn. The scary part is how polished this was.
 It used native code hiding, encrypted payloads, in-memory DEX loading, anti-analysis checks, fake banking UI, Firebase C2, Telegram exfiltration, SMS stealing, notification stealing, and USSD-based call forwarding. Despite heavy obfuscation, malformed stage-2 DEX files, native hiding, encrypted blobs, and long-string decoders, I was able to map the full chain. I recovered the loading logic, decrypted the assets, identified native entry points, exposed the Firebase command schema, and documented the Telegram exfiltration flow.
 After completing the analysis, I prepared the findings and reported everything to the authorities. This case was personal because it affected someone close to my friend.
 But it also shows how fast Android banking threats are evolving in India.
 Scammers are combining fake bank calls with real malware, cloud infrastructure, and stealthy Android techniques. For researchers: always look beyond the surface APK. The real payload may be encrypted, loaded in memory, hidden behind JNI, or delivered through staged logic. #CyberSecurity #AndroidMalware #ReverseEngineering #BankingFraud #ThreatHunting #InfoSec #MobileSecurity #MalwareAnalysis

IOCs: - rto-seva[.]online/parivahan/app/ - ata011.b-cdn[.]net/final-2d0d6519.apk - MD5: 88699d567254fa954f0394347317e1df - fir-[REDACTED]-rtdb.firebaseio.com Reported to Google CERT-In & Bunny CDN If you get a challan SMS with a link DO NOT click. (12/12) #AndroidMalware

Fake APK Apps Fuel 190% Rise in Digital Fraud Across Karnataka cysecurity.news/2026/05/fake… #AndroidMalware #AndroidSecurity #APKFraud

170.205.37[.]154[:]8000 @500mk500 @ViriBack @skocherhan @JAMESWT_WT @malwrhunterteam #Titanium #HVNC #Panel #CTI #BlueTeam #AndroidMalware Strictly for defensive purpose

New #IOC related to #BTMOB #RAT 102.220.88[.]4[:]88 btmob-rat[.]com 64.89.161[.]92 ref: welivesecurity.com/en/malwar… @500mk500 @ViriBack @skocherhan @BlinkzSec @JAMESWT_WT @ESETresearch @malwrhunterteam #Panel #CTI #BlueTeam #AndroidMalware Strictly for defensive purpose

Cyble analyzes OverlayPhantom, an Android banking trojan targeting 180 apps across 10 countries, stealing credentials via fake overlays and real-time screen streaming. cyble.com/blog/overlayphanto… #AndroidMalware #ThreatIntel #BankingTrojan #CredentialTheft

Rising Digital Invitation Scams Highlight Need for Strong Cyber Awareness cysecurity.news/2026/05/risi… #AndroidMalware #APKMalware #CyberAttacks

#CYFIRMAResearch has identified a sophisticated #Android #malware campaign, #KYCShadow, distributed via #WhatsApp, impersonating Bank KYC and e-Challan services to compromise financial users at scale. #ThreatIntelligence #AndroidMalware #BankingFraud #CyberSecurity #MobileThreats #MalwareAnalysis #ThreatResearch #CYFIRMA cyfirma.com/research/kycshad…

A new and dangerous threat has emerged for Android users - a type of malware that appears to be a normal app, but can take full control of the entire device as soon as it is installed. Users are trapped through APK files sent under the guise of "Banking app" or "customer support." Once accessibility permissions are granted, the attacker can silently access the phone - including OTPs, SMS, calls, and personal data. This is what makes this attack so dangerous the user doesn't even realize it, and control slips into the attacker's hands. An advisory on this threat has been issued by i4c, MHA - read the full details here: i4c.mha.gov.in/theme/resourc…... Keep in mind: Never download unknown APK files Install apps only from official app stores Do not enable accessibility permissions without understanding them Uninstall suspicious apps immediately #AndroidMalware #CyberSecurityIndia #MobileSecurity #StaySafeOnline #CyberAwareness @AdgpArmedJK @SIAJKPolice @Traffic_hqrs @RailwayPoliceJK @KashmirPolice @ZPHQJammu @igp_jammu @crimebranchjkp @DigJsk @UHqrs @digrprange @rphqdkr_jkp @DIGCKRSGR @dig_north @DigSkr @KathuaPolice @sambapolice @Dis_Pol_Jammu @UdhampurPolice @REASIPOLICE @dpododa @SSPKishtwar @RambanPolice @RAJOURIPOLICE @Poonch_Police @SrinagarPolice @BudgamPolice @Gbl_Police @BaramullaPolice @SoporePolice @bandiporapolice @HandwaraP @policekulgam @AnantnagPolice @policekulgam @AwantiporPolice @ShopianPolice @ssppul #NashaMuktJammuKashmirAbhiyan #100DaysCampaign

Android users के लिए एक नया और खतरनाक threat सामने आया है — ऐसा malware जो दिखने में normal app लगता है, लेकिन install होते ही पूरे device का control ले सकता है। “Banking app” या “customer support” के नाम पर भेजी गई APK files के जरिए users को trap किया जाता है। एक बार accessibility permissions मिलते ही attacker silently phone access कर सकता है - OTP, SMS, calls और personal data तक। यही इस attack को dangerous बनाता है - user को पता भी नहीं चलता और control attacker के पास चला जाता है। इस threat पर i4c, MHA द्वारा advisory जारी की गई है - पूरी जानकारी यहाँ पढ़ें: i4c.mha.gov.in/theme/resourc… ध्यान रखें: • Unknown APK files कभी download न करें • Apps सिर्फ official app store से ही install करें • Accessibility permissions बिना समझे enable न करें • Suspicious app दिखे तो तुरंत uninstall करें #AndroidMalware #CyberSecurityIndia #MobileSecurity #StaySafeOnline #CyberAwareness