Mobile security firm Zimperium has identified a widespread malware campaign targeting Android users in India
Mobile security firm Zimperium has identified a widespread malware campaign targeting Android users in India, aiming to steal personal and banking information. The campaign, named FatBoyPanel, is unlike traditional Android malware operations. Instead of relying on command-and-control (C&C) servers to intercept one-time passwords (OTPs), the attackers use live phone numbers to redirect SMS messages in real-time.
According to Zimperium’s research, this large-scale cybercriminal operation appears to be orchestrated by a single threat actor who has leveraged 1,000 phone numbers to steal user data. The firm has identified approximately 900 malware samples associated with these attacks, primarily targeting customers of Indian banks. The researchers noted that all the identified malware samples share common code structures, user interface elements, and app logos, suggesting that they were developed as part of a coordinated effort rather than isolated incidents.
The FatBoyPanel malware is spread through WhatsApp messages, where attackers distribute fake APK files disguised as government or banking applications. Once installed, these fraudulent apps trick users into revealing sensitive information. The malware exploits SMS permissions to intercept and exfiltrate messages, including OTPs, facilitating unauthorized transactions. Additionally, it employs stealth techniques to hide its icon and resist uninstallation, ensuring that it remains on the infected device for an extended period.
Zimperium’s investigation also revealed that the attackers stored stolen information in unsecured Firebase databases. The firm found 220 publicly accessible Firebase storage buckets, containing 2.5GB of stolen data, including banking SMS messages, card details, and government-issued ID information. The total number of affected users is estimated to be at least 50,000. Shockingly, the Firebase databases used in this campaign lacked any authentication mechanisms, meaning that anyone who discovered them could access the stolen data, including administrator details and exfiltrated phone numbers.
By analyzing the threat actor’s administrative dashboard, Zimperium was able to track some of the hardcoded phone numbers used in the attack to specific regions in India, including West Bengal, Bihar, and Jharkhand. This indicates that the attackers may be operating within these locations or using compromised individuals from these regions to facilitate their campaign.
In response to the growing threat, Google has taken action to protect Android users. The company confirmed that no known versions of this malware are available on the Google Play Store. Furthermore, Google Play Protect, which is enabled by default on Android devices, has been automatically detecting and blocking known versions of the malware since 2024. A Google spokesperson emphasized that Google Play Protect can warn users or block apps exhibiting malicious behavior, even if they are installed from sources outside the Play Store.
To protect against such malware campaigns, Android users should avoid downloading APK files from unknown sources, especially those sent via WhatsApp or SMS. They should always verify banking and government apps by downloading them directly from the Google Play Store. Regularly updating devices, monitoring bank transactions, and enabling Google Play Protect can further enhance security.
The FatBoyPanel malware campaign highlights the growing cybersecurity threat to Android users in India. By leveraging real phone numbers instead of traditional C&C servers, attackers have found a way to bypass traditional detection methods. With over 50,000 users already compromised, it is crucial for Indian authorities and security firms to take immediate action to dismantle this cybercrime network. Meanwhile, Android users must remain vigilant and adopt strict cyber hygiene practices to avoid falling victim to such scams.
