There has been a significant increase in SMS-stealer malware samples detected in India. Threat actors abuse top banking brands in the country to lure bank users into installing malware.
An active scam campaign discovered by VMX Labs is built merely on credit card themes: new credit card applications, limit increases, and services like rewards point redemption, card block application, card protection cancellation, and separation of merged cards. It distributes specifically crafted malicious apps. These apps steal the one-time passwords (OTP) sent to the victim’s phone via SMS.
Either the app or phishing website aims to deceive victims into typing their personal information and credit card details in fake forms disguised as legitimate. Most likely, these forms are built into the app in case the phishing website is cloned from the original bank website’s resources. Otherwise, they are implemented on the phishing website.
To evade detection, phishing sites used in this campaign are redirected to legitimate bank websites unless accessed from a mobile phone.
IOC List
| Indicator | Type |
|---|---|
| axisapply.creditcard-app.com | Dropper and C2 domain |
| axisapply.cards-application.com | Dropper and C2 domain |
| axis-apply-now.creditcard-app.com | Dropper and C2 domain |
| axis-apply-now.cards-application.com | Dropper and C2 domain |
| auapply.creditcard-app.com | Dropper and C2 domain |
| aunewapply.creditcard-app.com | Dropper and C2 domain |
| au.creditcard-app.com | Dropper and C2 domain |
| au-applynow-onboard.creditcard-app.com | Dropper and C2 domain |
| au-applynow-onboard.cards-application.com | Dropper and C2 domain |
| au-apply.creditcard-app.com | Dropper and C2 domain |
| au-apply-now.creditcard-app.com | Dropper and C2 domain |
| au-apply-onboard.creditcard-app.com | Dropper and C2 domain |
| au-now.creditcard-app.com | Dropper and C2 domain |
| au-now.cards-application.com | Dropper and C2 domain |
| au-now-apply.cards-application.com | Dropper and C2 domain |
| au-onboarding.creditcard-app.com | Dropper and C2 domain |
| au-onboarding.cards-application.com | Dropper and C2 domain |
| au-onboard-now.creditcard-app.com | Dropper and C2 domain |
| au-onboard-now.cards-application.com | Dropper and C2 domain |
| axisapply.creditcard-app.com | Dropper and C2 domain |
| axisapply.cards-application.com | Dropper and C2 domain |
| axis-apply-now.creditcard-app.com | Dropper and C2 domain |
| axis-apply-now.cards-application.com | Dropper and C2 domain |
| axis-services.in | Dropper and C2 domain |
| indus.creditcard-app.com | Dropper and C2 domain |
| indus-service.cards-application.com | Dropper and C2 domain |
| indus-service.creditcard-app.com | Dropper and C2 domain |
| indus-fast.cards-application.com | Dropper and C2 domain |
| indus-fast.creditcard-app.com | Dropper and C2 domain |
| indus-apply.creditcard-app.com | Dropper and C2 domain |
| indus-service.in | Dropper and C2 domain |
| rbl-limit-increase.creditcard-app.com | Dropper and C2 domain |
| rbl-limit-increase.cards-application.com | Dropper and C2 domain |
| 8640b1565f6dd0147d4b9f219765d5a814eb3fa7c470f9baf49e330da71b9d76 | SHA256 of the malicious app |
| d8b1f2c08c96935f61f3cddbfc723b982a961a38ab07e82272d375ab128f635d | SHA256 of the malicious app |
| f2160b0cc1d49f7ea0aaf346c071811c19c139d129dd1b3d3f0f586074dffe03 | SHA256 of the malicious app |
| 7e26eddb09fd8975283140b9edf6aabc5590db5274ff2f1e4af366f3a9b97273 | SHA256 of the malicious app |
| e154b0a0369355cc8b95ae1e8d8e7b20a6207b07ca12e6ae7c22a905472e5f28 | SHA256 of the malicious app |
| d0ec8749720b38b006ab458b063ad9259f53cc8a3f65228a8a844b3a532f139d | SHA256 of the malicious app |
| 399bde41f7bbac87f4825ed211a5baf4ed6192ff18081a873b190fb0cb63b200 | SHA256 of the malicious app |
| 73e92645aaf080f568ca5de84d00ec70be888a00f5bf27492fe7ba53900e126f | SHA256 of the malicious app |
| 1c6c7b4ff88b6cf462c2a9c1bb6dc50611bccf5593b4499fdb3405677525b8e0 | SHA256 of the malicious app |
| 9f2def6b0f95f820499f9a5a43ff5a9d5522e4a6d5e7d0a719dcfb916947721a | SHA256 of the malicious app |
| cc285c24651c224700a1f00b28e6d2856e701f26f99ef5baabc1d04be2c38d95 | SHA256 of the malicious app |
| 19deabf1c52e8f907dc3eb098a3dbfa5a8db143363c1bee52b8efe5974543c36 | SHA256 of the malicious app |
| a8ae565373f63a41b3770231d4119bb697de969b4cdfab7fa1d58196066e3d36 | SHA256 of the malicious app |
| 58f0052f045ce52be336bb119fff56a5445010fb45de6ed47253c8579abe52d5 | SHA256 of the malicious app |
| 8c1c962811154cf5ae7cd7c9d763c41c036652158d87bb3992661a31d1fbb1c8 | SHA256 of the malicious app |
| 4069cc81e22576f46bcd1f8dc95b254bfd6f51d9bef67936eb44a5c8af8aa358 | SHA256 of the malicious app |
| 2bae0588f5c5e427190cab5155dd00a78d348f9e6aea7926298a48d219e20cea | SHA256 of the malicious app |
| b70b8cc26b2c04379381067d7417879f49f118a17a7448b208d5d78a7e56f7b7 | SHA256 of the malicious app |
| 32b974f52e907998d6dbfba793966b531f880d8ebc27ffc18f47a2b7a099a097 | SHA256 of the malicious app |
Salt Typhoon Exposes Critical Gaps in Mobile Security: CISA Reacts