{
	"id": "5d4e2f10-cf10-4c18-b3b4-2a27699ee2be",
	"created_at": "2026-04-06T01:31:16.230221Z",
	"updated_at": "2026-04-10T03:21:58.153872Z",
	"deleted_at": null,
	"sha1_hash": "e6abdc50536c97fe8e4ec166f37fbf2c31e1f12e",
	"title": "Massive Phishing Campaigns Target India Banks’ Clients",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2805051,
	"plain_text": "Massive Phishing Campaigns Target India Banks’ Clients\r\nBy Trend Micro ( words)\r\nPublished: 2022-11-07 · Archived: 2026-04-06 01:01:52 UTC\r\nPhishing\r\nWe found five banking malware families targeting customers of seven banks in India to steal personal and credit card\r\ninformation via phishing campaigns.\r\nBy: Trend Micro Nov 07, 2022 Read time: 9 min (2342 words)\r\n \r\nSave to Folio\r\nBy Trend Micro Mobile Team\r\nWe observed an uptick in attacks targeting bank customers in India, the common entry point being a text message with a\r\nphishing link. The SMS content urges the victims to open the embedded phishing link or malicious app download page and\r\nfollow the instructions: To fill in their personally identifiable information (PII) and credit card details to allegedly get a tax\r\nrefund or credit card reward points. As of this writing, we observed five banking malware families involved in these attacks,\r\nnamely Elibomi, FakeReward, AxBanker, IcRAT, and IcSpy.\r\nWe analyzed that the bank customers targeted include account subscribers of seven banks, including some of the most well-known banks located in the country and potentially affecting millions of customers. Common among these routines include\r\nthe abuse of the legitimate banks’ logos, names, and affiliated brands and services to convince victims that their respective\r\nphishing sites are affiliated. This blog entry will discuss three of the identified banking malware families and their latest\r\nchanges (as IcRAT and IcSpy have been documented): Elibomi is an old malware that has evolved into a fully equipped\r\nbanking trojan, while FakeReward and AxBanker are newly discovered banking trojans. Bank clients are advised to remain\r\nvigilant against these kinds of threats, and to protect their information and devices from malware infections.\r\nElibomi returns with more functions\r\nFigure 1. Timeline of Elibomi variants deployed\r\nElibomi’s first and second variants, “fake certificates” and “iMobile” campaigns, appeared towards the end of 2020 and\r\nremained active in 2021, designed to steal victims’ PII and credit card information. During the early months of 2022, we\r\nobserved a phishing campaign dropping a new variant of Elibomi with a package name that ended with “iApp.” From this\r\nvariant on, the routine changed drastically: the threat actors added automation to workflow tasks via Accessibility\r\npermissions such as automated clicking, granting of permissions, and capturing screenshots.\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 1 of 14\n\nFigure 2. Elibomi’s latest variants’ functions\r\nFigure 3. Elibomi’s phishing page harvests the victim’s PII and credit card information\r\nMore recently, we found a fourth variant of Elibomi delivered from the same phishing site with a package name ending with\r\n“iAssist.” This variant added the cloud-hosted real-time database Firebase as an alternative command and control (C\u0026C)\r\nserver and an environment check tool called RDVerify for detection evasion. In the next sections, we detail the different\r\ncommands and functions that the third and fourth variants of Elibomi are capable of, as well as the implications of these\r\nupdates. It is also worth noting that an update has again been observed in October on the latest iterations, as documented by\r\nsecurity researchers from Cyble.\r\nOverview: Elibomi’s automated variants\r\nDue to the automated workflow framework of the latest variants, we called the third (“iApp” campaign) and fourth\r\n(“iAssist” campaign) automated variants and break down the commands and functions we found from their respective\r\nroutines. \r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 2 of 14\n\nFigure 4. RDVerify workflow\r\nSophisticated command format\r\nLooking into the routines of the third and fourth variants, Elibomi implements a sophisticated and lengthy command list and\r\nhas three types of commands to conduct malicious activities: Task command, server command, and auto command. The\r\nsucceeding section breaks down the three commands we found.\r\nTask command\r\nWe found that the task command was the main command among the three, enumerating the specific malicious activities\r\nneeded in the routine. It is capable of being a recursive command for complex tasks, or a non-recursive command function:\r\n1. As a non-recursive command: A single command that contains the command name and corresponding operands. This\r\ncan be split by “:::” to get the sub-terms.\r\n2. As a recursive command: A combination of non-recursive commands that can be split by “,” or “-” to get non-recursive commands.\r\nAs an example, should a specific aspect of Elibomi’s routine require unlocking the device without the user becoming aware\r\nof it, the malware can use this recursive command to accomplish three tasks: wakeup, remove the screen overlay, and make\r\nthe gesture combination for the unlock screen pin or pattern.\r\nFigure 5. Elibomi task command\r\nServer command\r\nThis command returns the execution result to the backend server. For example, “D:::Unlock has been executed - ##-##”\r\nshows and communicates with the server that the task command was able to unlock the device successfully.\r\nAuto command\r\nThe auto command plays a vital role in Elibomi’s automated workflow, describing how Elibomi uses Accessibility to\r\nconduct the malicious behaviors step by step. For example, auto command is responsible for how Elibomi enables the Media\r\nProjection automatically. When the attackers get the Accessibility permissions granted and receive the task command\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 3 of 14\n\nMEDIAPROJECTION, Elibomi will generate the auto command \u003cSCREENCLICK:Button:start now|ok|accept|allow\u003e to\r\nclick on “START NOW” in the MediaProjection dialog box.\r\nFigure 6. Taking screenshots of the victim’s window\r\nA fully automated malware\r\nAnalyzing the routines that the two latest variants of Elibomi are capable of, this malware can interact with the device’s user\r\ninterface (UI) automatically without the user knowing. To become a “fully automated malware,” Elibomi will show a\r\nmessage upon launch that pushes the user to enable Accessibility permissions by disguising itself as a Google application. It\r\nthen proceeds to show a dialog box upon launch as if there is an urgent need to grant Accessibility permissions to push the\r\nuser to allow the said request.\r\nFigure 7. Elibomi requests for the Accessibility permission to proceed with the automated tasks\r\nThe following is the full list of malicious tasks that have been added to Elibomi’s automation workflow in the latest\r\nautomated variants:\r\nTask Related Task Command Related Auto Command\r\nGet\r\nMediaProjection\r\npermission\r\nEXECUTORSEQUENCE:::\r\nPERMISSIONFOLLOWUP#222#MEDIAPROJECTIONPERMISSION\r\nCLICK:Button:start now|ok|accept|allow:-:-:\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 4 of 14\n\nAllow Write\r\nsettings\r\nEnableSettingsSequence fullforwardswipe:Switch:-:-:-::fullforwardsw\r\nGet SMS-related\r\npermissions\r\nEXECUTORSEQUENCE::: PERMISSIONFOLLOWUP#222#\r\nSMSPERMISSION\r\nCLICK:Button:ok|accept|allow:-:-::CLICK:B\r\nSet itself as\r\ndefault SMS\r\napp\r\nPERMISSIONS:::REVOKEDEFAULTSMS\r\nSTARTSMSSEQUENCE\r\nCLICK:Button:yes|ok|accept|allow:-:-::SCRE\r\nAllow Install\r\nApp from\r\nUnkown Source\r\nREQUESTINSTALLPERMISSION CLICK:Button:ok|accept|allow:-:-::CLICK:B\r\nDisable battery\r\noptimization\r\nIGNORE_BATTERY_OPTIMIZATIONS CLICK:Button:ok|accept|allow:-:-::SCREEN\r\nInstall\r\nadditional APK\r\nand grant\r\npermission for\r\nthe payload\r\nDOWNLOADAPK\r\nEXECUTORSEQUENCE:::INSTALLAPK\r\nEXECUTORSEQUENCE:::OPENAPPCOMPONENTandGRANTPERMISSIONS\r\nCLICK:Button:ok|accept|allow:-:-::CLICK:B\r\nGet all accounts\r\nSCREENSHOT\r\nGLOBAL_ACTION_BACK\r\nN/A\r\nDisable Google\r\nPlay Protect\r\nDISABLEPLAYPROTECT N/A\r\nRead or delete\r\nemails from\r\nGmail\r\nGMAILSEQUENCE click:android.widget.Button:Empty:-:-\r\nPrevent disable\r\nAccessibility\r\nGLOBAL_ACTION_BACK N/A\r\nPrevent\r\nUninstall\r\nGLOBAL_ACTION_BACK N/A\r\nPrevent\r\nenabling of\r\nGoogle Play\r\nProtect\r\nGLOBAL_ACTION_BACK N/A\r\nUnlock device WAKEUP N/A\r\nTable 1. List of malicious tasks added to the two latest variants of Elibomi\r\nElibomi affects Android 12 and lower, and can automatically grant the attackers sensitive permissions, enable/disable\r\nsensitive settings such as enable installation of apps from unknown sources, and disable GooglePlay protect. Android 13 is\r\nnot affected as Google restricts the Accessibility permission in the latest version.\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 5 of 14\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nVideo 1. How Elibomi’s latest campaign operates in the user’s mobile device\r\nOverlay mechanisms\r\nFor both iApp and iAssist campaigns, Elibomi implements an overlay by adding a view to the current window as an evasion\r\ntechnique from users, instead of having an overlay on other apps such as bank applications to steal users’ credentials.\r\nWait screen overlay\r\nIn order to evade visual detection from users, Elibomi will show a waiting screen after gaining Accessibility permissions for\r\nservice. However, it already executes an automated workflow in the background to grant sensitive permissions to the\r\nattacker.\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 6 of 14\n\nFigure 8. Wait screen overlay to hide malicious activities in the background\r\nElibomi uses another window type called “TYPE_ACCESSIBILITY_OVERLAY” instead of request\r\n“SYSYTEM_ALERT_WINDOW” permission to add an additional view to the current window.\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 7 of 14\n\nFigure 9. Create layout with type “TYPE_ACCESSIBILITY_OVERLAY”\r\nFake pin overlay\r\nTo unlock the device automatically, Elibomi is capable of stealing the pin code or pattern saved by the user by showing an\r\noverlay screen to the victim and “listening” for the user’s actions to record their gestures and clicks. \r\nFigure 10. Touch Listener code to record the victim’s actions observed from Elibomi’s third variant\r\nNot just Android\r\nFrom our scanning online, we found the cybercriminals extending their phishing campaign not only on Android but have\r\nalso ventured to other platforms such as email. Comparing previous phishing sites, it appears that they have created different\r\nthemes to induce victims to fill in their sensitive information. The type of stolen data is nearly the same as what they require\r\nusers to put on the Android platform.\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 8 of 14\n\nFigure 11. More recent phishing websites urging victims to download the iAssist app\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 9 of 14\n\n“iAssist” campaign as a fast-evolving Elibomi variant for more profit\r\nIn the fourth variant, we noted one interesting task added to their automated workflow. While the Accessibility permission\r\ndetects the payment risk notification string that sends the message “continuing to pay may cause loss of money” to appear on\r\nthe UI, it will click on “Ignore risk” to dismiss the alert dialog. This warning usually appears if there is a risk of payments or\r\ntransfers occurring while using a bank app, and can indicate that the cybercriminals behind this malware can consistently\r\nupdate or enhance Elibomi to automatically conduct money transfers from the victim’s device without them noticing.\r\nFigure 12. Elibomi capable of clicking “Ignore risks” button automatically\r\nFakeReward: Targeting three banks’ customers in India\r\nIn August, we found a campaign we named FakeReward targeting customers of three of the largest banks in India wherein\r\nthe threat actors registered several domains similar to the legitimate domains to confuse victims. These phishing websites\r\nwere pretending to be the official websites of these three banks, even abusing the companies’ names and logos to complete\r\ntheir look.\r\nFigure 13. FakeReward’s phishing websites target customers of three specific banks in India\r\nThe FakeReward banking trojan shows a page to request SMS permissions upon launching. Once granted, the malware will\r\ncollect all text messages to the device and upload it to a remote server, then set up a monitor to listen to incoming SMS\r\nmessages and sync it to the remote server. We released an initial social media thread on the said campaign to warn security\r\nteams and their respective bank customers to be vigilant against this malware.\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 10 of 14\n\nFigure 14. Requests SMS permissions and collects PII and credit card information\r\nLatest changes\r\nIn its recent update, FakeReward malware tries to request a notification permission to extract text messages instead of\r\ndirectly requesting access for SMS permissions. \r\nFigure 15. Request notification permission as seen by the user (left), and the code to parse the notification\r\n(right)\r\nSecurity researchers from K7 Security Labs and MalwareHunterTeam have also found samples of at least five other\r\nFakeReward variants. We noted the increase in the number of families and variants of FakeReward malware targeting users\r\nin India that appear the same when examined using tactics, techniques, and procedures (TTPs) but show differences in\r\ncodes. Trend Micro customers are protected from all these emerging phishing families and variants.\r\nPotential connection between FakeReward and IcRAT\r\nDuring our investigation, we found an interesting coincidence: FakeReward and IcRAT started targeting the customers of\r\none bank nearly at the same time. Moreover, we also found the phishing websites of these two malware families to be nearly\r\nsimilar, making us believe that the cybercriminals behind these two malware families are connected.\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 11 of 14\n\nFigure 16. Tracking FakeReward and IcRAT (Screenshot taken from VirusTotal)\r\nFigure 17. Phishing site of IcRAT\r\nAxBanker: Fake app targeting bank’s customers\r\nIn addition to FakeReward banking malware targeting the customers of two banks, we also found another banking trojan\r\ntargeting the customers of another major Indian bank that has been active since late August. The website has a similar\r\nphishing theme wherein customers “Get Reward Points” to attract victims to download and install the app. \r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 12 of 14\n\nFigure 18. AxBanker phishing website pretending to be an offer from a major bank\r\nOnce the malware is installed and launched, it will request SMS permissions in order to capture and upload incoming SMS\r\nto a remote server. The malware will then show several fake pages to collect the victim’s personal data and credit card\r\ninformation.\r\nFigure 19. AxBanker malware harvests the victim’s personal data and credit card information\r\nConclusion\r\nWhile the types of stolen data and phishing themes are similar, we don’t have enough evidence to conclude that the\r\ncybercriminals behind all of these banking malware families are connected but are aggressive in developing further. In the\r\ncase of the threat actors behind Elibomi, these cybercriminals are likely knowledgeable and adept in Android development\r\nbased on the automation of tasks pertaining to Accessibility permissions. Meanwhile, the threat actors behind FakeReward\r\nappear to have deployed phishing malware prior to this campaign based on their capability of hiding their tracks: the\r\nphishing domains used operate for only three to four days at a time before becoming inaccessible. In addition, a quick scan\r\nshows that only a few security engines have been able to pick up on its new variant.\r\nOur monitoring also shows that while no other customers outside India have been targeted by these malware families,\r\nphishing campaigns in the country have significantly increased and are increasingly becoming adept at detection evasion.\r\nOne possible reason for this uptick is the growing number of new threat actors entering the India underground market,\r\nbringing with them profitable business models, and interacting with other malicious players to learn, exchange ideas from,\r\nand establish connections. Users and bank customers are advised to remain vigilant and follow these best practices:\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 13 of 14\n\nCheck the text message’s sender. Legitimate companies and organizations have official contact channels from where\r\nthey send notifications and promotions.\r\nDo not download and install applications from unknown sources. Choose to download the official bank apps from\r\nofficial platforms.\r\nDo not enter sensitive personal information in untrusted apps or websites. Contact banks and organizations through\r\ntheir known channels to ask if they have ongoing promotions or announcements like the message received.\r\nDouble check the dialog boxes’ requests and messages before granting sensitive permissions such as Accessibility to\r\nuntrusted apps.\r\nTrend Micro solutions\r\nTrend Micro Mobile Security Solutions can scan mobile devices in real time and on demand to detect malicious apps, sites,\r\nor malware to block or delete them. These solutions are available on Android and iOS, and can protect users’ devices and\r\nhelp them minimize the threats brought by these fraudulent applications and websites. \r\nIndicators of Compromise (IOCs)\r\nFor a full list of the IOCs, find it here.\r\nTags\r\nSource: https://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20b\r\nanking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20p\r\nhishing%20link.\r\nhttps://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_vn/research/22/k/massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20link."
	],
	"report_names": [
		"massive-phishing-campaigns-target-india-banks-clients.html#:~:text=We%20found%20five%20banking%20malware,card%20information%20via%20phishing%20campaigns.\u0026text=We%20observed%20an%20uptick%20in,message%20with%20a%20phishing%20link."
	],
	"threat_actors": [],
	"ts_created_at": 1775439076,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6abdc50536c97fe8e4ec166f37fbf2c31e1f12e.pdf",
		"text": "https://archive.orkl.eu/e6abdc50536c97fe8e4ec166f37fbf2c31e1f12e.txt",
		"img": "https://archive.orkl.eu/e6abdc50536c97fe8e4ec166f37fbf2c31e1f12e.jpg"
	}
}