Listen to this Post

Introduction:
A new Android banking trojan dubbed KYCShadow is actively targeting financial customers across India by weaponizing a routine verification process: Know Your Customer (KYC). Distributed via seemingly legitimate WhatsApp messages, this multi-stage malware masquerades as an official banking compliance app, only to silently harvest ATM PINs, Aadhaar numbers, card details, and intercept SMS-based OTPs in real time, effectively nullifying two-factor authentication and handing attackers full remote control over compromised devices.
Learning Objectives:
- Understand the complete infection chain of the KYCShadow banking trojan, including its two-stage dropper mechanism, XOR‑based decryption, and Firebase Cloud Messaging (FCM) command‑and‑control (C2) channel.
- Learn technical detection methods for identifying Indicators of Compromise (IoCs) on Android devices using static analysis, network monitoring, and mobile EDR tools.
- Acquire practical skills for analyzing malicious APKs with open‑source tools (jadx, apktool, grep) and implementing system‑level hardening measures on both user and enterprise devices.
You Should Know
- Technical Deep Dive: The Two‑Stage Dropper Mechanism of KYCShadow
KYCShadow’s most insidious feature is its two‑stage infection chain, designed to bypass initial security checks and evade detection by traditional antivirus solutions. The malware begins as a “dropper”—a seemingly harmless APK received via WhatsApp that presents a deceptive “Update Required” screen with a single button labeled Install Update, crafted to resemble a standard system prompt.
Once the victim taps the button, the dropper requests VPN permissions and prompts the user to allow installation from unknown sources. After both approvals are granted, the dropper activates a sophisticated XOR‑based decryption algorithm that is cryptographically tied to its own package name. This means the decryption logic cannot be extracted without knowing both the exact package name and the key, making static analysis extremely difficult for researchers.
The decrypted secondary payload (package name `com.am5maw3.android` or similar) is written to temporary internal storage and installed silently via Android’s `PackageInstaller` API with no further user interaction. Immediately after installation, the secondary payload suppresses its own launcher icon and registers with Firebase Cloud Messaging (FCM), establishing a persistent, push‑based remote command channel for the attacker.
Step‑by‑step guide: Analyzing the KYCShadow APK safely using static analysis tools
To analyze this type of malware, set up a Linux environment or Windows Subsystem for Linux (WSL) and follow these steps:
1. Install required tools:
On Linux or WSL sudo apt update && sudo apt install jadx apktool Python is also required for additional scripting sudo apt install python3 python3-pip
2. Decompile the suspicious APK with jadx:
Decompile to Java source code jadx -d output_dir /path/to/kycshadow_dropper.apk
This creates a folder `output_dir` containing decompiled Java source code. Examine `AndroidManifest.xml` for dangerous permissions (RECEIVE_SMS, READ_SMS, INTERNET, BIND_VPN_SERVICE) and look for main malicious classes.
3. Extract resources with apktool:
apktool d /path/to/kycshadow_dropper.apk -o apktool_output
Check for suspicious entries in the manifest, such as services that run in the background or receivers for `BOOT_COMPLETED` which would start the malware on device restart.
- Search for encoded payloads in assets or res/raw:
Recursively search for long base64 strings (potential embedded payload) grep -rní "[A-Za-z0-9+/]{100,}" output_dir/Long base64 strings in the code could indicate an embedded encrypted payload.
5. Look for hardcoded C2 domains and IPs:
Extract all URLs from decompiled code grep -rEo '(http|https)://[a-zA-Z0-9./?=_-]' output_dir/
KYCShadow was found exfiltrating data to jsonapi[.]biz, jsonserv[.]biz, and jsonserv[.]xyz. Any such domains should be treated as IoCs.
- Native Code Obfuscation and C2 Hiding in libnative‑lib.so
To further complicate analysis, KYCShadow embeds critical infrastructure details—including C2 endpoints, encryption keys, and agent identifiers—inside a native library (libnative-lib.so) . This reduces visibility for static analysis tools and increases reverse engineering complexity.
Key artifacts stored in the native library:
- C2 endpoint: `https://jsonapi[.]biz`
- Agent ID: `XGEKKWB3`
– Encryption key: exposed via a native function at runtime during execution cycle
The malware also deploys a full‑tunnel VPN service (routing traffic through 10.0.0.2) that routes all device traffic through an attacker‑controlled layer. This gives the threat actor the ability to monitor, filter, or block outbound connections to security services, reducing the device’s capacity to detect or report the infection.
Step‑by‑step guide: Hunting for native library IoCs using strings and binary analysis
1. Extract the native library from the APK:
Unzip the APK unzip kycshadow_dropper.apk -d apk_extracted/ Locate the native library (typically under lib/armeabi-v7a/ or lib/arm64-v8a/) find apk_extracted/ -name ".so"
- Use `strings` to extract plaintext strings from the `.so` file:
strings libnative-lib.so | grep -E "http|https|biz|api|key|agent"
-
Use `hexdump` and `grep` to search for hex patterns:
Search for the known Agent ID XOR key pattern hexdump -C libnative-lib.so | grep -i "XGEKKWB3"
-
Dynamic analysis with Frida (on a test device):
// Hook the native function that returns the encryption key Java.perform(function() { var nativeLib = Module.findBaseAddress("libnative-lib.so"); console.log("Native library base:", nativeLib); // Function offsets would be determined via reverse engineering }); -
Real‑Time SMS Interception and OTP Theft: Bypassing 2FA
The true power of KYCShadow lies in its ability to neutralize multi‑factor authentication (MFA). By obtaining permissions to read and intercept SMS messages, the malware can silently capture one‑time passwords (OTPs) as soon as they are delivered, forwarding them to the attacker in real time. This renders SMS‑based 2FA completely useless.
Supported C2 commands (issued via FCM) include:
- Real‑time SMS interception: Capture incoming OTP messages before the user sees them
- Bulk inbox extraction: Upload entire SMS history to the attacker’s server
- Remote call placement: Initiate phone calls without user input (e.g., to premium numbers or to authorize fraudulent transactions)
- USSD‑based call forwarding: Redirect incoming calls or manipulate carrier settings
Step‑by‑step guide: Monitoring SMS interception on Android using logcat and adb
For security researchers and incident responders, detecting active SMS interception requires real‑time monitoring:
- Enable USB debugging on a test Android device and connect via ADB:
adb devices
2. Stream logcat and filter for SMS‑related events:
Watch for incoming SMS broadcasts adb logcat -s SMS: | grep -E "SMS|Message|Received" Monitor for unauthorized SMS reading attempts adb logcat | grep -i "READ_SMS|content://sms"
- Check for applications with SMS permissions using ADB:
List all installed packages adb shell pm list packages Check specific package's permissions adb shell dumpsys package com.am5maw3.android | grep -A 10 "grantedPermissions"
-
Simulate an OTP delivery and monitor logcat for interception:
Send an SMS to the test device from another phone While monitoring, look for "intercept" or "forward" functions in logcat adb logcat | grep -E "kycshadow|onReceive|forward"
-
Mitigation Strategies for SOCs and Enterprises: Network‑Level IoC Blocking
For organizations and financial institutions, the primary defense against KYCShadow is proactive IoC blocking and mobile threat detection. According to the Cyfirma report, the following IoCs have been identified:
| Type | Indicator |
||–|
| C2 Domains | `jsonapi[.]biz`, `jsonserv[.]biz`, `jsonserv[.]xyz` |
| Malicious Package | `com.am5maw3.android` |
| VPN Tunnel IP | `10.0.0.2` (attacker‑controlled) |
| Agent ID | `XGEKKWB3` |
| Native Library | `libnative-lib.so` |
Step‑by‑step guide: Blocking KYCShadow IoCs at the network and endpoint level
1. Firewall blocking (using iptables on Linux gateway):
Block outbound traffic to malicious domains sudo iptables -A OUTPUT -d jsonapi.biz -j DROP sudo iptables -A OUTPUT -d jsonserv.biz -j DROP sudo iptables -A OUTPUT -d jsonserv.xyz -j DROP Save rules (Ubuntu/Debian) sudo iptables-save > /etc/iptables/rules.v4
2. DNS sinkholing (using /etc/hosts on Windows/Linux):
Redirect malicious domains to localhost echo "127.0.0.1 jsonapi.biz jsonserv.biz jsonserv.xyz" | sudo tee -a /etc/hosts
On Windows, edit `C:\Windows\System32\drivers\etc\hosts` as Administrator and add the same line.
3. Windows Firewall rule using PowerShell (Admin):
Block outbound connections to specific IPs (resolve domains first) Note: Replace with actual resolved IPs after ping New-NetFirewallRule -DisplayName "Block KYCShadow C2" -Direction Outbound -RemoteAddress 1.2.3.4 -Action Block
4. Deploy mobile EDR policies:
- Block installation of apps from unknown sources via MDM (Mobile Device Management)
- Monitor for the presence of package `com.am5maw3.android` and trigger auto‑removal
- Detect and block VPN services initiated by non‑standard apps
- Advanced Evasion: Bypassing Two‑Factor Authentication and API Abuse
KYCShadow not only intercepts SMS OTPs but also uses WebView‑based phishing to harvest structured financial data. The malware embeds a next‑js frontend inside a Capacitor WebView, mimicking legitimate banking branding under the guise of a “Banking KYC” application. The multi‑stage credential harvesting includes:
1. Mobile number and ATM PIN
2. Aadhaar number and date of birth
3. Card details including number, expiry, and CVV
This combination of SMS interception and credential phishing allows attackers to bypass both possession‑based (SMS OTP) and knowledge‑based (PINs) authentication factors.
Step‑by‑step guide: Hardening Android devices against phishing and overlay attacks
1. Disable “Install unknown apps” for all apps:
- Navigate to Settings > Security > Install unknown apps
- Ensure that no app (especially your browser or WhatsApp) has this permission enabled
2. Check for Device Admin apps:
- Go to Settings > Security > Device admin apps
- If you see any unfamiliar apps listed, deactivate them immediately. This is a common persistence mechanism banks trojans use to prevent uninstallation
3. Review Accessibility Services:
- Navigate to Settings > Accessibility > Installed services
- If you notice any app with accessibility access that you didn’t grant, disable it right away. Malware exploits this to perform overlay attacks and capture keystrokes
4. Monitor VPN and Network Activity:
- Use a reliable network monitor from the Play Store to check for unexpected active VPN connections
- A legitimate firewall app can help you block suspicious outbound connections
5. Use Chrome’s Enhanced Safe Browsing:
- Chrome Settings > Privacy and Security > Safe Browsing > Enhanced Protection. This protects against dangerous websites, downloads, and extensions
6. Securing WhatsApp as a Malware Delivery Platform
WhatsApp has become a premier vector for malware distribution due to its immense popularity and the inherent trust users place in their contacts. The KYCShadow campaign is not an isolated incident; it is part of a larger trend. In Brazil, the “Water Saci” campaign has been using WhatsApp Web to spread banking trojans disguised as invoices and receipts, hijacking victims’ WhatsApp Web sessions to automatically forward malicious files to all contacts and groups.
Step‑by‑step guide: Hardening WhatsApp against malware distribution
1. Adjust privacy settings:
- WhatsApp Settings > Account > Privacy
- Set “Last seen and online,” “Profile photo,” and “About” to “My Contacts” or “Nobody” to limit information exposed to potential attackers
2. Disable media auto‑download:
- Navigate to Settings > Storage and Data
- Under “Media auto‑download,” disable the option for “When using mobile data,” “When connected on Wi‑Fi,” and “When roaming.” This prevents malicious files from being saved without your review
3. Enable Two‑Step Verification:
- In Settings > Account > Two‑step verification, enable this feature and set a PIN. This adds an extra layer of security to your account, making it harder for attackers to take over if they compromise your SIM
4. Verify suspicious links with VirusTotal:
- Copy any shortened or suspicious link and paste it into `https://www.virustotal.com` for scanning
- Look for behavior: “URL scanner” will check against over 70 security vendors
7. Data Exfiltration Analysis and API Security
All harvested data is encrypted locally and transmitted to the remote backend hosted at `https://jsonapi[.]biz`. The malware uses a structured API format to exfiltrate sensitive information. Security teams should monitor for API traffic patterns that match these indicators.
Step‑by‑step guide: Capturing and analyzing malware exfiltration traffic
- Set up a MITM proxy on a test network (Burp Suite or mitmproxy):
Install mitmproxy pip install mitmproxy mitmdump -p 8080 -w traffic_output.flow
-
Configure the test Android device to use the proxy: Settings > Network > Proxy > Manual > Enter your PC’s IP and port 8080.
-
Install mitmproxy CA certificate on the Android device to intercept HTTPS traffic.
4. Monitor API endpoints used by the malware:
Live capture of exfiltration attempts using tcpdump sudo tcpdump -i eth0 -A -s 0 'host jsonapi.biz or host jsonserv.biz'
- Analyze captured JSON payloads for sensitive data patterns:
// Expected exfiltration structure (example) { "agent_id": "XGEKKWB3", "phone_number": "...", "atm_pin": "...", "aadhaar": "...", "card_details": {...} }
What Undercode Say
- Key Takeaway 1: KYCShadow represents a paradigm shift in Android banking malware: using legitimate platforms (Firebase Cloud Messaging, WhatsApp) as attack infrastructure makes detection significantly harder. Traditional signature‑based AV will fail against polymorphic, package‑name‑tied XOR decryption.
- Key Takeaway 2: SMS‑based 2FA is no longer a reliable security control. Any organization still relying on SMS OTPs for high‑value transactions must migrate to phishing‑resistant authenticators (FIDO2, WebAuthn, or app‑based TOTP with secure storage) immediately.
The sophistication of KYCShadow highlights how threat actors are increasingly combining social engineering (fake KYC workflows), technical evasion (native code obfuscation, staged droppers), and platform abuse (Firebase C2, WhatsApp delivery). The use of a full‑tunnel VPN to block security updates is particularly alarming—it transforms the compromised device into a “silent sensor” that cannot phone home to security vendors. For enterprises, this means mobile EDR solutions must operate at the kernel level to detect VPN redirection.
Prediction
KYCShadow is the vanguard of a coming wave of AI‑enhanced mobile banking malware. Within the next 12–18 months, we will see attackers integrate large language models (LLMs) to generate personalized, context‑aware phishing messages at scale, dynamically adapt WebView phishing pages to match individual bank interfaces in real time, and automate the exfiltration pipeline using AI‑driven credential validation. The fight against mobile malware will shift from reactive IoC blocking to predictive behavioral analysis, where machine learning models trained on device sensor data (accelerometer, touch patterns, network flow) will be the only effective defense against zero‑day droppers. Organizations that delay adopting hardware‑based authenticators and kernel‑level mobile EDR will face an unacceptably high risk of account takeover.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Tushar Subhra – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


