Full Report
As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team shares how we can help protect you against fake SBI Reward banking trojan. The post Zimperium’s Comprehensive Protection Against Fake SBI Reward Banking Trojan appeared first on Zimperium.
Analysis Summary
# Tool/Technique: Fake SBI Reward Banking Trojan
## Overview
A banking trojan campaign that masquerades as a legitimate State Bank of India (SBI) rewards application. The primary purpose of this malware is to trick users into downloading a malicious APK, which then steals sensitive banking credentials and other personal information.
## Technical Details
- Type: Malware Family (Banking Trojan)
- Platform: Android (Implied by APK delivery via WhatsApp)
- Capabilities: Stealing banking credentials, exfiltrating personal information.
- First Seen: January 26, 2025 (Based on the article date reporting on the campaign)
## MITRE ATT&CK Mapping
*Note: Specific TTPs for this recently identified trojan are not detailed in the provided text, but general mappings for banking trojans targeting mobile devices are applicable.*
- [TA0001 - Initial Access]
- T1417 - Drive-by Compromise (If links/downloads are involved)
- [TA0003 - Persistence]
- T1417 - Data from Local System (If credentials are stored)
- [TA0011 - Command and Control]
- T1428 - Application Layer Protocol (C2 communication, often HTTP/S)
- [TA0010 - Exfiltration]
- T1418 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Impersonation: Disguises itself as a trusted State Bank of India (SBI) rewards app.
- Distribution: Delivered to victims via the social engineering vector of WhatsApp messages.
- Credential Theft: Designed specifically to steal sensitive banking credentials.
### Advanced Features
- Social Engineering: Leverages brand trust (SBI) and pervasive communication channels (WhatsApp) to induce users to download and install the APK directly.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: APK file associated with the fake SBI rewards app.
- Registry Keys: [Not applicable for Android APK malware unless deeper analysis is performed]
- Network Indicators: [Not provided in the context]
- Behavioral Indicators: Attempting to access or steal banking application data; requesting excessive permissions upon installation.
## Associated Threat Actors
- [Reported on by Malwr Analysis; specific threat actor attribution not provided in the context.]
## Detection Methods
- Signature-based detection: Specific APK hashes and package names.
- Behavioral detection: Detection of suspicious behavior typical of banking trojans, such as overlay attacks or attempting to intercept SMS/notifications, or interacting with financial apps.
- YARA rules if available: [Not provided in the context]
## Mitigation Strategies
- Prevention measures: Users should avoid downloading and installing APKs received via unsolicited messages (especially on WhatsApp).
- Hardening recommendations: Utilize Mobile Threat Defense (MTD) solutions like Zimperium to analyze apps before installation (e.g., Z3A Application Vetting) and provide runtime self-protection (zDefend). Users should only download apps from official, verified app stores.
## Related Tools/Techniques
- Mobile Banking Trojans (General category)
- Smishing/Content Delivery via WhatsApp (Distribution technique)