Next time you receive a text message alerting you that your reward points, accumulated on your credit card transactions, are about to expire and should be immediately redeemed, don’t click the link until you are sure of the sender’s authenticity.
Microsoft’s research unit has revealed that hackers are slipping a potent malware into the cell phones of ICICI Bank customers, which can capture the incoming text messages, thus effectively rendering the multi-factor authentication useless. Ironically, this is the same malware that had targeted State Bank of India and Axis Bank customers in 2021.
“Masquerading as a banking rewards app, this new version has additional remote access trojan capabilities, is more obfuscated, and is currently being used to target customers of Indian banks. The SMS campaign sends out a message containing a link that points to the info-stealing Android malware,” a report by Microsoft 365 Defender Research Team said.
The message sent by the malware designers contains a link, and on opening it, a fake app in the name of the bank is installed on the user’s phone. Then it asks for a variety of access permissions and in the next stage, a “log in” page opens, requiring the net banking credentials and the CVV numbers of credit card. When the bank sends a one time password to the victim’s phone to enable a transaction, it is captured by the malware and relayed to the hackers.
“Collecting all text messages might allow the attackers to use the data to expand their stealing range, especially if any of them contain other sensitive information such as SMS-based 2FA for email accounts, personal identification like Aadhaar, or other finance-related information,” the report said.
Despite several attempts, ICICI Bank could not be reached for comments.
Worryingly, Microsoft’s analysis has found that the malware is also capable of accessing the phone’s call logs and contacts list as well as modifying its audio settings.
Additional director general Madhukar Pandey, Maharashtra Cyber, said, “Cyber criminals are luring the people into clicking the link that installs a dangerous malware which can lead to financial loss, data theft, and identity theft. The simple trick to prevent this is to never click any SMS or WhatsApp link from an unknown source.”
The research findings, compiled by Shivang Desai, Abhishek Pustakala and Harshita Tripathi, were made public earlier this week.