Article

Banking scams sent on WhatsApp

Amit Tambe

Feb 18, 2025

4 min read

Scams happen wherever scammers can contact their victims. F‑Secure has detected an ongoing scam targeting individuals in India. However, such scams could target anyone with a smartphone and a bank account, regardless of where they live.

This scam is pulled off with WhatsApp direct messages that encourage targeted users to download malicious Android installation files. The messages claim to originate from well-known banks, such as Axis, ICICI, or SBI.

A screenshot of a WhatsApp chat with a scammer pretending to represent Axis Bank.

Figure 1. A scam message appealing to urgency (from a LinkedIn post).

A screenshot of another WhatsApp chat with a scammer pretending to represent “axis bank”.

Figure 2. Another scam message appealing to urgency (acquired by F‑Secure).

The scam starts with the victim receiving a message on WhatsApp that attempts to invoke a sense of urgency. The message typically intends to scare the victim by suggesting their bank account is blocked or about to be closed. The scammers try to trick their target into installing an accompanying APK file. This, they claim, is to update the user’s mandatory details.

APK is a common file format used in the Android operating system. However, in this case, the file is infected with malware. The attacker hopes that by using these manipulation tricks, the victim will install the infected APK attachment and allow the malware to take over.

How does malware work?

So, what happens once the victim clicks on the malicious file? We at F‑Secure obtained a WhatsApp message from one of our sources (shown in Figure 2). We analyzed the APK attached to this message and found out the following:

After installation, the fake banking app asks the user for permission to read and send text messages (Figure 3). This may seem harmless, but it is important for the malware to work. We will explain later why the scammers need their victims to grant this permission.

A screenshot of the fake Axis Bank app requesting permission to send and view SMS messages.

Figure 3. SMS permissions requested by malware.

Once this permission is granted, the app proceeds through a series of activities (screens) that each ask for different personal information from the victim (Figure 4). The personal information includes the victim’s mobile number, personal account number, date of birth, debit card details, and so on.

Three screenshots of the Axis Bank scam app collecting the user’s personal information.

Figure 4. Series of screenshots related to extracting the victim’s personal information.

Once the victim submits all this information, a fake “success” message (Figure 5) appears. The message claims that the required data has been submitted. In reality, no updates are sent to the bank.

A screenshot of the fake Axis Bank app showing a big checkmark and “Success” in green.

Figure 5. Fake “success” message.

A screenshot of the fake Axis Bank app displaying a poorly written “Important Note” to not delete nor uninstall the app.

Figure 6. Alternative “success” message advising against uninstallation.

In other similar malware samples that we analyzed, the final screen shows a “success” message but also displays a text advising the user against uninstalling the app. This is because the “bank details update” app is not available in the Play Store (Figure 6).

What really happens in the background?

All of this might seem normal to an unsuspecting target, but in reality, the malicious app is busy accessing the victim’s account without permission. Here is how this banking scam compromises the victim’s valuable information and bank account behind the scenes:

Data stealing

As we saw above, the dummy bank application pretends to get details from the victim and claims to update their account in the bank. In reality, the malicious app collects the victim’s data without them knowing. The details submitted by the victim are exfiltrated either to a cloud database or a server controlled by the attacker.

A screenshot of the application code, with lines relevant to form completion highlighted in yellow.

Figure 7. Personal user data being uploaded to cloud.

Bypassing multifactor authentication

The primary goal of the malware is to steal the victim’s bank credentials. Once the scammers get a hold of the information they need, they can use it to take over the victim’s account. However, the attacker first needs to log in to the victim’s bank account.

When the user has set up two-factor authentication, the bank app sends a one-time password (OTP) to the user’s phone when logging in. This means that just stealing the victim’s login details isn’t enough for the scammer—they also need the OTP sent by the bank to gain access.

To get the one-time password, scammers must trick the victim into allowing special permissions. This is where the previously acquired “send and receive SMS permissions” comes into play (Figure 3).

Once the victim’s phone receives the OTP text message, the malware detects it automatically. It then forwards the OTP to the scammer’s phone number, allowing them to bypass two-factor authentication and access the account.

A screenshot of the application code that handles the bypassing of multi-factor authentication.

Figure 8. Forward all SMSs to the attacker.

Conclusion: Look out for online banking scams

Although this scam currently targets banks in India, similar tactics can be used anywhere — and not just in banking. Scammers can impersonate other trusted services, too.

WhatsApp has a vast user base, which allows potential scammers to reach victims across the world. We advise strong caution when clicking unknown links or attachments, especially if you receive them via WhatsApp.

Staying alert and knowing the signs of fraud can help keep your money and data safe.