A sophisticated malware campaign, “FatBoyPanel,” has been uncovered by cybersecurity researchers, targeting users of Indian banks. The malware, which consists of nearly 900 samples, is designed to steal sensitive financial and personal information, such as Aadhaar numbers, PAN cards, ATM PINs, and credit card details. It primarily exploits Android devices and spreads via WhatsApp, where it masquerades as legitimate banking or government apps. Once installed, the malicious apps mimic the user interfaces of real banking apps, tricking users into providing their private information.
One of the most concerning aspects of the FatBoyPanel malware is its ability to exploit SMS permissions on compromised devices. The malware intercepts and exfiltrates one-time passwords (OTPs) and other sensitive messages, allowing attackers to conduct unauthorized transactions. In addition, the malware uses advanced stealth techniques to remain hidden from the user and prevent uninstallation, ensuring that it can continue to operate on infected devices for an extended period.
This persistence makes it difficult for victims to remove the malware without professional assistance.
The malware family includes three variants: SMS Forwarding, Firebase Exfiltration, and Hybrid. The SMS Forwarding variant captures and forwards SMS messages to attacker-controlled numbers, while the Firebase Exfiltration variant sends stolen data to Firebase endpoints, which act as command-and-control servers. The Hybrid variant combines both methods for data exfiltration. Research also found that over 1,000 malicious applications linked to the FatBoyPanel campaign have been identified, many of which use code obfuscation techniques to evade detection and reverse engineering.
Furthermore, some of the stolen data was found to be publicly accessible due to a lack of authentication mechanisms in Firebase, exposing sensitive information of approximately 50,000 users, including bank account details and government-issued IDs. To mitigate the risks associated with this campaign, experts advise users to only download apps from official app stores and enable multi-factor authentication (MFA) where possible. The growing reliance on digital payments in India highlights the need for both individuals and institutions to remain vigilant against evolving malware threats like FatBoyPanel.
