Published on April 28, 2026
New Android Banking Malware Abuses Fake KYC Workflow and WhatsApp Delivery to Hijack Accounts
Severity
Medium
Detail
A new Android banking malware known as KYCShadow has been identified targeting bank customers in India through a deceptive Know Your Customer (KYC) verification process. Distributed via WhatsApp, the campaign abuses users’ familiarity with mandatory banking compliance procedures to trick them into installing a malicious application that silently harvests sensitive financial data.
How?
The attack begins when victims receive a message via WhatsApp prompting them to install a supposed KYC verification app. Once installed, the application presents a series of realistic verification screens, collecting information such as mobile numbers, ATM PINs, Aadhaar details, and card credentials step-by-step. After completion, users are shown a fake “verification in progress” message while their data is immediately transmitted to an attacker-controlled server.
The malware operates as a two-stage dropper. The initial app functions as a loader that decrypts and installs a hidden secondary payload, helping it evade early detection. During execution, it displays a fake “Update Required” prompt, tricking users into granting permissions such as installing apps from unknown sources and enabling a VPN connection.
Once deployed, the second-stage payload requests extensive permissions, including access to SMS, phone calls, and system resources. This allows it to intercept one-time passwords (OTPs), send and forward messages, and initiate calls without user awareness. The malware hides its icon from the launcher, making it invisible to the user.
A key capability is the activation of a full-tunnel VPN, routing all device traffic through attacker-controlled infrastructure. This enables monitoring and manipulation of network activity while preventing communication with security services. The malware also establishes persistence using Firebase Cloud Messaging, allowing attackers to issue real-time commands such as SMS interception, inbox extraction, remote call execution, and USSD-based call forwarding.
Conclusion
This campaign demonstrates how threat actors exploit trusted processes like KYC verification to carry out highly effective mobile banking attacks.
Users should avoid installing apps from messaging platforms, keep unknown app installation disabled, and only download applications from official app stores. Financial institutions should block known malicious domains and deploy mobile threat defense solutions to detect abnormal permission usage, hidden payloads, and unauthorized VPN activity.
Source
https://cybersecuritynews.com/new-android-banking-malware-abuses-fake-kyc/