{ "Event": { "analysis": "1", "date": "2026-04-24", "extends_uuid": "", "info": "[Threat Intel] KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft", "protected": false, "publish_timestamp": "1779545766", "published": true, "threat_level_id": "3", "timestamp": "1779545765", "uuid": "ce489644-fa77-40c5-898b-70a1be4662c5", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#f9b12b", "local": false, "name": "misp-galaxy:producer=\"Cyfirma\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#013748", "local": false, "name": "misp-galaxy:target-information=\"India\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"01031d3f-c9c9-4288-bb58-234c38e4246e\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#170059", "local": false, "name": "rectifyq:topic=\"mobile-attack\"", "relationship_type": "" }, { "colour": "#5f0077", "local": false, "name": "ms-caro-malware:malware-platform=\"AndroidOS\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1437\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Call Control - T1616\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Call Log - T1636.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clipboard Data - T1414\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1521\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1646\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Foreground Persistence - T1541\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hide Artifacts - T1628\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1406\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1660\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"SMS Messages - T1636.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task/Job - T1603\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Discovery - T1418\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1426\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1422\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Evasion - T1628.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1437.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1481\"", "relationship_type": "" }, { "colour": "#3500ca", "local": false, "name": "rectifyq:detection-rules=\"yara-from-src\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777460420", "to_ids": false, "type": "link", "uuid": "7e61de8d-e636-4a6b-9a1e-80616490e386", "value": "https://www.cyfirma.com/research/kycshadow-an-android-banking-malware-exploiting-fake-kyc-workflows-for-credential-and-otp-theft/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777460420", "to_ids": false, "type": "text", "uuid": "d9011afa-5fe6-4f10-bb26-66bc0670b400", "value": "An Android malware campaign masquerading as a bank KYC verification application targets users in India through WhatsApp distribution. The threat operates as a multi-stage dropper installing secondary payloads while establishing persistent command-and-control communication. It combines native code obfuscation, Firebase-based remote execution, VPN-based traffic manipulation, and WebView-based phishing to systematically harvest sensitive user data. The infection chain progresses through deceptive update screens, VPN activation, silent APK installation, and extensive permission abuse. The deployed payload enables SMS interception, call control, USSD execution, and structured credential theft through staged phishing interfaces mimicking legitimate banking workflows. Exfiltrated data is encrypted locally and transmitted to jsonapi.biz, while critical configuration values are hidden inside native libraries to hinder detection." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777460420", "to_ids": false, "type": "text", "uuid": "173db81e-0b76-4876-9731-170d53651f9a", "value": "Name: KYCShadow: An Android Banking Malware Exploiting Fake KYC Workflows for Credential and OTP Theft\nAuthor: AlienVault\nAdversary: \nTags: [\"india targeting\", \"android banking trojan\", \"otp theft\", \"vpn manipulation\", \"kycshadow\", \"whatsapp distribution\", \"firebase c2\", \"credential theft\", \"sms interception\"]\nTgtd countries: [\"British Indian Ocean Territory\", \"India\"]\nMlwr families: [\"KYCShadow\"]\nAttack_ids: []\nIndustries: [\"Finance\"]" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688547", "to_ids": true, "type": "domain", "uuid": "c08d44ee-6ea5-4a4e-a512-16cd1337efa2", "value": "jsonserv.biz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688568", "to_ids": true, "type": "domain", "uuid": "ce1b7ee2-0d25-4674-89de-8a0931e12da3", "value": "jsonserv.xyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688589", "to_ids": true, "type": "domain", "uuid": "bb970bc1-82bf-4c79-be95-1652d8751daa", "value": "jsonapi.biz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545763", "to_ids": true, "type": "sha256", "uuid": "3e25f8d4-7af1-4f6d-95a2-6a4679c42f95", "value": "1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777688610", "to_ids": true, "type": "url", "uuid": "07f0dfa6-fdda-4dff-9330-077d706f74a6", "value": "https://jsonapi.biz", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:02/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545765", "to_ids": true, "type": "sha1", "uuid": "55503d23-23bb-4a1a-95f3-b36427b19c54", "value": "10bd31f7d0e47f8c24f58cac962036d342d57057", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "7", "timestamp": "1777685884", "uuid": "99700806-b809-4b40-98f7-03eb701aa59d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1777685884", "to_ids": false, "type": "text", "uuid": "b7c95753-e644-4661-ab6b-ad023e1968a0", "value": "KYCShadow_APK_Detection" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1777685884", "to_ids": false, "type": "comment", "uuid": "48587763-9726-45d4-856e-fb951d920d3b", "value": "Detects KYCShadow and related Android payloads with linked C2 infrastructure" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1777685884", "to_ids": true, "type": "yara", "uuid": "9d70199a-24db-4709-b17d-c6a2cfd0549e", "value": "import \u201chash\u201d\r\nrule KYCShadow_APK_Detection\r\n{\r\nmeta:\r\ndescription = \u201cDetects KYCShadow and related Android payloads with linked C2 infrastructure\u201d\r\ncategory = \u201cmalware\u201d\r\nthreat = \u201cAndroid Dropper\u201d\r\nauthor = \u201cCyfirma Research\u201d\r\ndate = \u201c2026-04-08\u201d\r\nstrings:\r\n$c2_domain1 = \u201cjsonapi.biz\u201d\r\n$c2_domain2 = \u201cjsonserv.biz\u201d\r\n$c2_domain3 = \u201cjsonserv.xyz\u201d\r\ncondition:\r\nuint32(0) == 0x04034B50 and\r\nany of ($c2_domain*) and\r\n(\r\nhash.sha256(0, filesize) == \u201c34479b18597f1a0deb5d55b8450bc21af1d1f638c4ceca1ee19e6f5ac89d6be2\u201d or\r\nhash.sha256(0, filesize) == \u201c1d261b45e73b5b712becb12ed182ec89d3dd0d73143a2dd8ff5512da489a50eb\u201d\r\n)\r\n}" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545761", "uuid": "4a4c9781-39b8-4d0a-8900-d354e2352361", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545760", "to_ids": true, "type": "md5", "uuid": "c5a38370-0607-46eb-9d4d-db341376d32c", "value": "3da35272ad6d280d3388d57bdbf61b9c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545760", "to_ids": true, "type": "sha1", "uuid": "8dfeca38-1e16-47bf-9a60-64b4b63dbda6", "value": "0a467a2c936734affc8d796a4e468543b9d182e7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545761", "to_ids": true, "type": "sha256", "uuid": "dd379c69-f72f-4920-8ad0-cd54f542ece9", "value": "34479b18597f1a0deb5d55b8450bc21af1d1f638c4ceca1ee19e6f5ac89d6be2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777687266", "to_ids": true, "type": "ssdeep", "uuid": "5973bddb-c79a-4f5a-8a2e-7e087ed5d083", "value": "98304:SOXVhwYIPSdjVm/Z50jIrbVVnCmVD/FIXG31CvrjC2gsOjBDDWtXWhMIzV6Hf19h:zVhPIPS/G5VFVLVD/MTjC2gskDD7MIz0" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777687266", "to_ids": false, "type": "size-in-bytes", "uuid": "fa3da793-183f-437b-b355-6707cb6a5801", "value": "5762792" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777687266", "to_ids": true, "type": "vhash", "uuid": "a8898afa-3432-4591-bbed-137b459f9ce6", "value": "5c48f9e297754bdbc5462386c2bc8b4f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777687266", "to_ids": true, "type": "filename", "uuid": "9a9bab10-89d2-4a5b-9fb0-6cb89bc56914", "value": "BOI E KYC.apk" }, { "category": "Other", "comment": "Checked: 02/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777687266", "to_ids": false, "type": "text", "uuid": "19d8eebd-dbd0-482d-af2b-1c3bdc48a34d", "value": "Type Description: Android\nMicrosoft: None\nVT Total Detection:24/68\nFirst Submission:2026-04-03T11:04:36.000000+00:00\nLast Submission:2026-04-03T11:04:36.000000+00:00" } ] } ] } }