KYCShadow

Distributed via WhatsApp, it tricks victims into installing what appears to be an official banking compliance application.

The application presents itself as a trusted banking KYC service, exploiting a routine process that millions of Indian bank users are already familiar with.

Once both approvals are given, the dropper begins decrypting an embedded payload using an XOR-based algorithm tied specifically to its own package name.

The payload also hides itself from the device app launcher, leaving no visible trace on the infected phone.

Once installed, it guides users through convincing verification screens that collect mobile numbers, ATM PINs, Aadhaar numbers, and card details one step at a time.

These allow the malware to intercept OTPs in real time, send and forward SMS messages remotely...

Once installed, it guides users through convincing verification screens that collect mobile numbers, ATM PINs, Aadhaar numbers, and card details one step at a time.

It registers with Firebase Cloud Messaging, establishing a persistent push-based remote command channel for the attacker.

Adding to the risk, the malware activates a full-tunnel VPN service that routes all device traffic through an attacker-controlled layer.

The first application victims install acts as a loader that silently decrypts and deploys a secondary malicious payload in the background.

After users complete the flow, a fake confirmation message claims that “verification is in progress,” while all submitted data is already being transmitted to a remote attacker-controlled server at jsonapi[.]biz.