{
	"id": "32867aca-eb8a-4d58-8c94-e314216ae6e7",
	"created_at": "2026-04-06T02:12:10.911505Z",
	"updated_at": "2026-04-10T03:21:40.755939Z",
	"deleted_at": null,
	"sha1_hash": "007a6cc7d503ee5f8b6dff13e4b41970b463bd84",
	"title": "Phishing and Android Malware Campaign Targets Indian Banks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2365633,
	"plain_text": "Phishing and Android Malware Campaign Targets Indian Banks\r\nBy PolySwarm Tech Team\r\nArchived: 2026-04-06 01:33:58 UTC\r\nNov 21, 2022 1:12:25 PM / by PolySwarm Tech Team\r\nRelated Families: Elibomi, FakeReward, AxBanker, IcRAT, IcSpy\r\nVerticals Targeted: Financial\r\nExecutive SummaryTrend Micro recently reported on a phishing and Android malware campaign targeting\r\nclients of multiple banks in India. The campaign leverages multiple malware families, including Elibomi,\r\nFakeReward, AxBanker, IcRAT, and IcSpy.\r\nKey Takeaway\r\nA large-scale phishing campaign targeted customers of multiple Indian banks.\r\nThe malware used in the campaign included Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy.\r\nWhile the other malware families have been in the wild for some time, FakeReward and AxBanker are\r\nnovel malware families.\r\nThe CampaignA large-scale phishing and Android malware campaign was recently observed targeting customers\r\nof seven financial institutions in India. One of the known attack vectors was an SMS message containing either a\r\nphishing link or a link to a malicious app download. Threat actors abused the logos, names, and affiliated brands\r\nand services of legitimate banks to create an elaborate phishing scheme.The MalwareThe campaign leveraged at\r\nleast five banking trojan malware families, including Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy. While\r\nhttps://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks\r\nPage 1 of 3\n\nIcRAT, IcSpy, and Elibomi were previously active in the wild, FakeReward and AxBanker are newly discovered\r\nmalware families.Elibomi\r\nElibomi is an Android malware that has been active in the wild since at least 2020. It is used to steal PII and credit\r\ncard information. In early 2022, Trend Micro researchers observed it being used in a phishing campaign targeting\r\nIndian banks. The new variant used in this campaign had a package name ending in iApp. Threat actors added\r\nfunctionality, including automated clicking, permission granting, and screenshot captures. Another Elibomi variant\r\nhad a package name ending in iAssist. This variant used Firebase for C2 and used RDVerify to evade detection. It\r\naffects Android 12 and lower.IcRAT\r\nIcRAT is an Android banking malware. It was used to target customers of a particular bank at nearly the same time\r\nFakeReward was used to target the same bank. Trend Micro researchers also noticed an overlap of the phishing\r\nwebsites used by both malware families.IcSpy\r\nIcSpy requests SMS permissions and enables a debug option to allow the threat actors to access application data\r\nand run arbitrary code on affected Android versions. IcSpy uploads SMS messages to the C2.FakeReward\r\nFakeReward is an Android banking Trojan that requests SMS permissions upon launch. FakeReward collects all\r\ntext messages sent to the device and sends them to the C2. It also sets up monitoring to listen to incoming SMS\r\nmessages. Updated versions of FakeReward request notification permission to extract text messages. Multiple\r\nFakeReward variants were used in this campaign.AxBanker\r\nAxBanker is a banking Trojan targeting Indian banking customers since at least August 2022. The phishing\r\nwebsite associated with this malware entices customers with a reward points system to convince them to\r\ndownload the app. AxBanker also requests SMS permissions and uses phishing pages to collect the victim’s\r\npersonal data and credit card information.IOCsPolySwarm has multiple samples associated with this\r\ncampaign.Elibomi IOCs12b47e5b7f6cc7371c7a243ae0d58cf7b7391e0a471a4365d03b7db9e45a5dd8\r\n40b469c6e7176101abb3d114c689fe0b3cc244292bcbc0658174337596caf1a9\r\na389911dcba6afa54a1977657a17292ec1a8e3f49ee3726600725f4200ca7960\r\nYou can use the following CLI command to search for all Elibomi samples in our portal:\r\n$ polyswarm link list -f Elibomi\r\nIcRAT IOCs8325398d82c110e9219cfbd963c915b7753f108ddd109ceefc47e8c7ef978fe9You can use the\r\nfollowing CLI command to search for all IcRAT samples in our portal:\r\n$ polyswarm link list -f IcRAT\r\nIcSpy IOCs\r\nF050abd03d3a58bb4f5b85cd831ccd176f3fa46d12deee35c541f6af3e491a34You can use the following CLI\r\ncommand to search for all IcSpy samples in our portal:\r\n$ polyswarm link list -f IcSpy\r\nFakeReward IOCs2da210623178f90801e53394db43809bd23674063c53bf341ef5d94ebde61131\r\nb28b792b6a093481722dde813de98d163de325bbcc84c70a568499367d9a9418\r\nhttps://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks\r\nPage 2 of 3\n\n237f30949ebf7c67a58a7a38c2464db28b722cd1f0f7aae45c469bd9db8b22c8\r\nYou can use the following CLI command to search for all FakeReward samples in our portal:\r\n$ polyswarm link list -f FakeReward\r\nAxBanker IOCs\r\n34cdc6ef199b4c50ee80eb0efce13a63a9a0e6bee9c23610456e913bf78272a8\r\n66c572dd6b68a1abc48241f6d7308fbc42b18470e1d8989190f515a6f621f0a1\r\nYou can use the following CLI command to search for all AxBanker samples in our portal:\r\n$ polyswarm link list -f AxBanker\r\nDon’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.\r\nContact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports\r\nSource: https://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks\r\nhttps://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.polyswarm.io/phishing-and-android-malware-campaign-targets-indian-banks"
	],
	"report_names": [
		"phishing-and-android-malware-campaign-targets-indian-banks"
	],
	"threat_actors": [],
	"ts_created_at": 1775441530,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/007a6cc7d503ee5f8b6dff13e4b41970b463bd84.pdf",
		"text": "https://archive.orkl.eu/007a6cc7d503ee5f8b6dff13e4b41970b463bd84.txt",
		"img": "https://archive.orkl.eu/007a6cc7d503ee5f8b6dff13e4b41970b463bd84.jpg"
	}
}