A newly identified Android malware known as SikkahBot is targeting students in Bangladesh by impersonating official apps from the Bangladesh Education Board. The campaign, uncovered by Cyble Research and Intelligence Labs (CRIL), has been active since July 2024.
SikkahBot spreads through shortened URLs such as bit[.]ly/Sikkahbord, apped[.]short[.]gy, and downloadapp[.]website/tyup[.]apk. These links are likely distributed via smishing attacks, tricking users into downloading fake scholarship-related APK files.
Once installed, the app prompts users to log in with Google or Facebook and requests personal details like name, department, and institution. It then asks for financial information including wallet numbers, PINs, and payment methods. After submission, users receive a fake message claiming a representative will contact them, while the malware begins operating in the background.
Permissions Abuse and Banking Fraud
SikkahBot aggressively seeks high-risk permissions such as Accessibility Service, SMS access, call management, and overlay capabilities. These permissions allow deep control over the device and enable the malware to manipulate user activity.
After gaining access, the malware displays a fake homepage with altered images of students receiving scholarships to appear legitimate. It also registers a broadcast receiver to intercept incoming SMS messages, targeting keywords and service numbers linked to mobile banking platforms like bKash, Nagad, and MYGP. The stolen data is sent to a Firebase server controlled by the attackers.
Accessibility Exploits and Offline Transactions
The malware uses Accessibility Service to detect when users interact with banking apps. It retrieves credentials from its command server and attempts to autofill login forms. If the apps are not in use, SikkahBot initiates USSD transactions using codes and SIM slot data from the server. It interacts with prompts by clicking buttons labeled “SEND” or “OK,” allowing it to operate without internet access.
Evasion and Ongoing Development
Despite its dangerous capabilities, SikkahBot maintains low detection rates on VirusTotal. CRIL has found over 10 variants, with newer samples showing more automation and refined command execution.
CRIL describes SikkahBot as a powerful tool for financial fraud, combining phishing, automated banking activity, and offline exploitation.
Security Recommendations
To guard against threats like SikkahBot, CRIL advises:
- Download apps only from trusted sources like the Google Play Store
- Avoid clicking on suspicious or shortened links
- Restrict permissions, especially Accessibility and overlay access
- Enable multi-factor authentication for financial apps
- Use mobile security tools with real-time protection
- Keep Android systems and apps updated
- Report suspicious activity to your bank and consider a factory reset if compromised
Cyble continues to monitor threats like SikkahBot, offering early detection and threat tracking. As digital fraud evolves, maintaining strong cybersecurity habits is essential.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
