New Android Malware SikkahBot Targets Students in Bangladesh
Overview of SikkahBot
A newly uncovered Android malware, known as SikkahBot, is specifically aimed at students in Bangladesh, masquerading as official applications from the Bangladesh Education Board. This alarming malware campaign has been detected by Cyble Research and Intelligence Labs (CRIL) since July 2024.
Distribution Techniques
SikkahBot is primarily spread through shortened URLs, which often appear innocuous at first glance. Links such as bit[.]ly/Sikkahbord, apped[.]short[.]gy, and downloadapp[.]website/tyup[.]apk are common vectors used by attackers. These links are likely distributed through smishing (SMS phishing) attacks that trick potential victims into downloading seemingly legitimate apps that are actually malicious APK files disguised as scholarship applications from government entities.
Malicious Functionality
Once installed on a device, these fake applications prompt users to log in with their Google or Facebook credentials and require personal information like name, department, and institution. Furthermore, they exploit mechanisms to obtain users’ financial details, demanding wallet numbers, PINs, and payment methods. After providing this information, victims receive a deceptive message indicating that a representative will contact them soon, allowing the malware to operate discreetly in the background.
Permissions Abuse
What distinguishes SikkahBot is its aggressive control over Android permissions. From the moment of installation, it encourages users to grant extensive access rights, including the Accessibility Service, SMS permissions, call management, and the capability to overlay other apps. These permissions give SikkahBot considerable control over the device, amplifying its potential to exploit user data.
Upon activation, the malware displays a counterfeit homepage filled with manipulated images of students reportedly receiving scholarships. This tactic is a part of its social engineering efforts aimed at establishing credibility.
Advanced Data Interception
SikkahBot takes additional measures to gather sensitive data by registering a broadcast receiver that intercepts all incoming SMS messages. It specifically looks for keywords related to widely-used mobile banking services like bKash, Nagad, and MYGP, along with associated service numbers. Captured messages are then transmitted to an attacker-controlled Firebase server at update-app-sujon-default-rtdb[.]firebaseio.com.
Exploitation of Banking Credentials
The malware’s use of the Accessibility Service for nefarious purposes is particularly concerning. When it detects user activity on banking applications, it automatically retrieves credentials from its server and attempts to autofill login details, effectively bypassing user input.
If the user is not currently using these banking apps, SikkahBot can initiate USSD transactions. It achieves this by receiving USSD codes and SIM slot information from its command server and executing the necessary calls, all while interacting with response prompts. This capability allows for transactions to occur without an internet connection, making it especially dangerous in low-connectivity situations.
Evasion Techniques and Variants
Despite its concerning features, SikkahBot variants show surprisingly low detection rates on platforms like VirusTotal. This low visibility is attributed to its obfuscation techniques, with CRIL discovering over ten distinct samples. Newly developed versions incorporate advancements that enhance automation and sophisticated command execution methods.
The combination of phishing tactics, automated banking actions, and offline USSD transactions makes SikkahBot an especially effective weapon for financial fraud targeted at unsuspecting students, according to CRIL’s analysis.
Protective Recommendations
To combat threats like SikkahBot, CRIL emphasizes the need for better mobile security awareness and proactive defensive measures. Here are some vital recommendations for users:
- Install Apps from Trusted Sources: Only download applications from reputable platforms such as the Google Play Store.
- Avoid Suspicious Links: Steer clear of shortened URLs or unfamiliar links received via SMS or social media.
- Limit App Permissions: Do not grant Accessibility or overlay permissions unless absolutely necessary.
- Enable Multi-Factor Authentication (MFA): This adds an extra layer of security for financial applications.
- Use Mobile Security Software: Employ solutions offering real-time threat detection.
- Keep Software Up to Date: Regularly update your Android OS and apps to address known vulnerabilities.
- Report Suspicious Activity: Inform your bank immediately and consider performing a factory reset if needed.
Cyble’s Threat Intelligence Platform continues to track evolving threats like SikkahBot, aiming to provide early detection, infrastructure monitoring, and threat attribution. As digital fraud becomes increasingly sophisticated, maintaining vigilance and practicing good cybersecurity hygiene is crucial.
