KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft
Essential information
- Published
- 29/04/2026 11:43
- Modified
- 29/04/2026 10:14
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- android banking trojan credential theft firebase c2 india targeting kycshadow otp theft sms interception vpn manipulation whatsapp distribution
- Tags
- 2026-04-29 android banking trojan credential-theft firebase c2 india targeting kycshadow otp theft sms interception vpn manipulation whatsapp distribution
- Related entities
- 6 indicators, 6 observables, 1 malware, 6 others
Description
An Android malware campaign masquerading as a bank KYC verification application targets users in India through WhatsApp distribution. The threat operates as a multi-stage dropper installing secondary payloads while establishing persistent command-and-control communication. It combines native code obfuscation, Firebase-based remote execution, VPN-based traffic manipulation, and WebView-based phishing to systematically harvest sensitive user data. The infection chain progresses through deceptive update screens, VPN activation, silent APK installation, and extensive permission abuse. The deployed payload enables SMS interception, call control, USSD execution, and structured credential theft through staged phishing interfaces mimicking legitimate banking workflows. Exfiltrated data is encrypted locally and transmitted to jsonapi.biz, while critical configuration values are hidden inside native libraries to hinder detection.